cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4389
Views
35
Helpful
26
Replies

Cisco ASA 5520 Blocking Specific URL

Cash2106
Level 1
Level 1

Hi there, Dear Members,

i am using Cisco ASA 5520 firewall in my company, i am using the ACL to block some specific traffic for some clients, which is working fine,

 

now i want to block specific websites through ASDm, can anyone help me how can i do that in Cisco ASDM, i will be really great full to all of you..

26 Replies 26

balaji.bandi
Hall of Fame
Hall of Fame

here is the example to start with  : ( not sure what is the ASA code you running) - but this example give you idea to setup one.

 

https://community.cisco.com/t5/security-documents/asa-url-filtering-via-asdm/ta-p/3120314

https://www.youtube.com/watch?v=-jH8ZuSyyVw

https://www.networkstraining.com/block-websites-cisco-asa-firewall/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi  thanks for your concern, i have done the steps, blocking the facebook through its ip is working for me which i knew but really thanks to you for your concern.

 

but i want to block the facebook through URL, and the link you have shared with me is not the complete guide, i am not able to understand it properly

object network obj-facebook.com
 fqdn facebook.com

 

access-list INSIDE-IN extended deny ip any object obj-facebook.com   <- change the rule as per the requirement.

 

access-group INSIDE-IN in interface inside

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Also make sure your dns domain-lookup is also setup.

 

dns domain-lookup inside

dns domain-lookup outside

 

DNS server-group Google

 name-server 8.8.8.8

please do not forget to rate.

@Sheraz.Salim  thanks i will try these.... but i dont know why i have to do lookup for both inside and outside.

In order for ASA to reslove the url into a ip address mapping it need to be reslove so it can actioned on this. I do not know you network that why i suggested to configure the DNS inside/outside.

 

dns domain-lookup inside

dns domain-lookup outside

DNS server-group Google

name-server 8.8.8.8

domain-name xyz

!

ping google.com to check if your asa can reslove the url to ip address and the ping is sucessful. either you can change the DNS server-group Google to anyname or to your coporate name.

 

 

please do not forget to rate.

@balaji.bandithanks i did it, but in ASA i am getting some error mentioned below

3Mar 03 202119:44:21746016    user-identity: DNS lookup for facebook.com failed, reason:Timeout or unresolvable

 

3Mar 03 202119:44:21746016    user-identity: DNS lookup for youtube.com failed, reason:Timeout or unresolvable

 

its may be because DNS lookup is not configured, and i dont even know how to do that.

@balaji.bandii have one thing to tell here before the DNS lookup settings.

 

actually i am using a domain controller as well in my network and i am using this domain controller IP as a DNS 192.168.2.2 in the clients computer,

 

so if i have to give access to any user i also need to mentioned the DNS ip which is my domain controller IP 192.168.2.2 then internet start working on the client with the Gateway IP which is 192.168.2.40.

 

i hope DNS lookup configuration wont change anything in my existing setup ?

i hope DNS lookup configuration wont change anything in my existing setup ? No they wont change.

please do not forget to rate.

here a smiliar issue is disccussed and provided an answer.

please do not forget to rate.

the basic requirement for FQDN to work is DNS - so make sure ASA able to resolve the DNS.

 

dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 domain-name mycompany.com

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandiso in my case the commands should be like that when i am blocking the facbook

 

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name facebook.com

 

if i am wrong please correct me... i would really appreciate that....

 

dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name example.com (normally this is your Local DNS)

 

 

domain-name is where you define your local DNS entry.

please do not forget to rate.

@Sheraz.Salimmy local dns is 192.168.2.4 which is darson.local so the command line should be like this ?

 

dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name darson.local or 192.168.2.4

 what if i put the ip instead of darson.local which is 192.168.2.4 ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: