cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2259
Views
0
Helpful
3
Replies

Cisco 5510 blocking all websites except a few

brianzeitz
Level 1
Level 1

Hello:

I see many post about how to block a single website, but I want to do the opposite. I would like to block all website except for a handful of them. Does anyone have any example configs?

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Brian.

You could place an ACL on the inside interface like this:

Access-list inside_to_out permit tcp any host xxxxxx eq 80

Access-list inside_to_out permit tcp any host yyyyy q 80

Access-list inside_to_out permit tcp any host zzzzz eq 80

Access-list inside_to_out deny tcp any any eq 80

Where the xxxx and yyy and zzzz are the few ip addresses of the web-servers you want to allow acces to.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Can I use URLs? What about someone using https? I am thinking of checking out the Cisco Iron port Device for blocking. Do you think that is overkill? I also see websense integrates with the ASA, I might go that route...

Hi,

Yes you should be able to:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Of course, you will need to create some soft of regex that will deny all the websites such as *.com, but first of course permit the websites you want.

Another option will be using FQDN acls (Only supported on version 8.4.2 and higher) Here is the example.

https://supportforums.cisco.com/docs/DOC-17014

Cheers,

Mike

Mike
Review Cisco Networking for a $25 gift card