Cisco 5510 blocking all websites except a few

brianzeitz · ‎11-17-2011

Hello:

I see many post about how to block a single website, but I want to do the opposite. I would like to block all website except for a handful of them. Does anyone have any example configs?

Julio Carvajal · ‎11-17-2011

Hello Brian.

You could place an ACL on the inside interface like this:

Access-list inside_to_out permit tcp any host xxxxxx eq 80

Access-list inside_to_out permit tcp any host yyyyy q 80

Access-list inside_to_out permit tcp any host zzzzz eq 80

Access-list inside_to_out deny tcp any any eq 80

Where the xxxx and yyy and zzzz are the few ip addresses of the web-servers you want to allow acces to.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

brianzeitz · ‎11-17-2011

Can I use URLs? What about someone using https? I am thinking of checking out the Cisco Iron port Device for blocking. Do you think that is overkill? I also see websense integrates with the ASA, I might go that route...

Maykol Rojas · ‎11-17-2011

Hi,

Yes you should be able to:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Of course, you will need to create some soft of regex that will deny all the websites such as *.com, but first of course permit the websites you want.

Another option will be using FQDN acls (Only supported on version 8.4.2 and higher) Here is the example.

https://supportforums.cisco.com/docs/DOC-17014

Cheers,

Mike