11-17-2011 01:24 PM - edited 03-11-2019 02:52 PM
Hello:
I see many post about how to block a single website, but I want to do the opposite. I would like to block all website except for a handful of them. Does anyone have any example configs?
11-17-2011 01:49 PM
Hello Brian.
You could place an ACL on the inside interface like this:
Access-list inside_to_out permit tcp any host xxxxxx eq 80
Access-list inside_to_out permit tcp any host yyyyy q 80
Access-list inside_to_out permit tcp any host zzzzz eq 80
Access-list inside_to_out deny tcp any any eq 80
Where the xxxx and yyy and zzzz are the few ip addresses of the web-servers you want to allow acces to.
Regards,
Julio
11-17-2011 02:01 PM
Can I use URLs? What about someone using https? I am thinking of checking out the Cisco Iron port Device for blocking. Do you think that is overkill? I also see websense integrates with the ASA, I might go that route...
11-17-2011 03:45 PM
Hi,
Yes you should be able to:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
Of course, you will need to create some soft of regex that will deny all the websites such as *.com, but first of course permit the websites you want.
Another option will be using FQDN acls (Only supported on version 8.4.2 and higher) Here is the example.
https://supportforums.cisco.com/docs/DOC-17014
Cheers,
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide