Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2671
Views
5
Helpful
9
Replies

Cannot Block Application FMC | ASA 5525

NguyenNgocBa
Level 1
Level 1

‎11-30-2018 12:37 AM - edited ‎02-21-2020 08:31 AM

This is my policy table
My model is I configured on the FMC asa (Vmware) routing table network layer as pictured with the peplink device and at the same time configuring nat (i tried removing nat) but apparently the application like viber, outlook still works Even though there are internet policy rules

11.PNG2.PNG13.PNG14.PNG15.PNG17.PNG

It seems that the deny policy of the asa firewall still has holes in the application department when I have tried quite a few ways but the application can still go out the internet but while the website was blocked

0 Helpful
9 Replies 9

Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-30-2018 12:43 AM - edited ‎11-30-2018 12:47 AM

Hi,

Your rule will match the source destination traffic, as you mentioned the destination IP's.

Create a rule with source IP and destination any, then select the URL which you would like to block.

Create another rule with source IP, destination any and then select the application category and choose the application you would like to block.

HTH
Abheesh

0 Helpful

NguyenNgocBa
Level 1
Level 1
In response to Abheesh Kumar

‎11-30-2018 01:07 AM - edited ‎11-30-2018 01:10 AM

Hi,

My intention is to want the ip address on the 2 visited sites and block all other applications .But it seems that asa does not understand, applications such as viber can still send messages while banned other sites.

I have created a rule block all below but it seems that I can not do my job

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to NguyenNgocBa

‎11-30-2018 01:16 AM

So only want to access 2 IP address and block all other applications right...????

NguyenNgocBa
Level 1
Level 1
In response to Abheesh Kumar

‎11-30-2018 01:26 AM

 

Yes, my wish is that

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to NguyenNgocBa

‎11-30-2018 01:34 AM

create a rule with the Source & Destination IP and allow the URL which you would like to access.
Create another rule with the same source IP and rule action as Block.
So this will block all the traffic from the source you specified.

HTH
Abheesh
0 Helpful

NguyenNgocBa
Level 1
Level 1
In response to Abheesh Kumar

‎11-30-2018 05:47 PM

I have configured blocking policy like this and it does not understand blocking the application18.PNG

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to NguyenNgocBa

‎11-30-2018 10:41 PM - edited ‎11-30-2018 10:41 PM

can you change the action to BLOCK WITH RESET and try.

HTH
Abheesh

0 Helpful

NguyenNgocBa
Level 1
Level 1
In response to Abheesh Kumar

‎11-30-2018 10:47 PM


I have tried all the features, it just blocks the website and the applications are sometimes still out to the internet
0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to NguyenNgocBa

‎11-30-2018 10:50 PM

As a testing, can you disable the URL allow rule for temporary and try. So all the traffic from inside to outside will get blocked.

HTH
Abheesh
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card