cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1885
Views
0
Helpful
3
Replies

Cisco 5510 blocking all websites except a few

brianzeitz
Beginner
Beginner

Hello:

I see many post about how to block a single website, but I want to do the opposite. I would like to block all website except for a handful of them. Does anyone have any example configs?

3 Replies 3

Julio Carvajal
Advisor
Advisor

Hello Brian.

You could place an ACL on the inside interface like this:

Access-list inside_to_out permit tcp any host xxxxxx eq 80

Access-list inside_to_out permit tcp any host yyyyy q 80

Access-list inside_to_out permit tcp any host zzzzz eq 80

Access-list inside_to_out deny tcp any any eq 80

Where the xxxx and yyy and zzzz are the few ip addresses of the web-servers you want to allow acces to.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Can I use URLs? What about someone using https? I am thinking of checking out the Cisco Iron port Device for blocking. Do you think that is overkill? I also see websense integrates with the ASA, I might go that route...

Hi,

Yes you should be able to:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Of course, you will need to create some soft of regex that will deny all the websites such as *.com, but first of course permit the websites you want.

Another option will be using FQDN acls (Only supported on version 8.4.2 and higher) Here is the example.

https://supportforums.cisco.com/docs/DOC-17014

Cheers,

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers