@balaji.bandi  thanks for your concern, i have done the steps, blocking the facebook through its ip is working for me which i knew but really thanks to you for your concern.

but i want to block the facebook through URL, and the link you have shared with me is not the complete guide, i am not able to understand it properly

object network obj-facebook.com
 fqdn facebook.com

access-list INSIDE-IN extended deny ip any object obj-facebook.com   <- change the rule as per the requirement.

access-group INSIDE-IN in interface inside

Also make sure your dns domain-lookup is also setup.

dns domain-lookup inside

dns domain-lookup outside

DNS server-group Google

 name-server 8.8.8.8

@Sheraz.Salim  thanks i will try these.... but i dont know why i have to do lookup for both inside and outside.

In order for ASA to reslove the url into a ip address mapping it need to be reslove so it can actioned on this. I do not know you network that why i suggested to configure the DNS inside/outside.

dns domain-lookup inside

dns domain-lookup outside

DNS server-group Google

name-server 8.8.8.8

domain-name xyz

!

ping google.com to check if your asa can reslove the url to ip address and the ping is sucessful. either you can change the DNS server-group Google to anyname or to your coporate name.

@balaji.bandithanks i did it, but in ASA i am getting some error mentioned below

its may be because DNS lookup is not configured, and i dont even know how to do that.

@balaji.bandii have one thing to tell here before the DNS lookup settings.

actually i am using a domain controller as well in my network and i am using this domain controller IP as a DNS 192.168.2.2 in the clients computer,

so if i have to give access to any user i also need to mentioned the DNS ip which is my domain controller IP 192.168.2.2 then internet start working on the client with the Gateway IP which is 192.168.2.40.

i hope DNS lookup configuration wont change anything in my existing setup ?

i hope DNS lookup configuration wont change anything in my existing setup ? No they wont change.

here a smiliar issue is disccussed and provided an answer.

the basic requirement for FQDN to work is DNS - so make sure ASA able to resolve the DNS.

dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 domain-name mycompany.com

@balaji.bandiso in my case the commands should be like that when i am blocking the facbook

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name facebook.com

if i am wrong please correct me... i would really appreciate that....

dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name example.com (normally this is your Local DNS)

domain-name is where you define your local DNS entry.

@Sheraz.Salimmy local dns is 192.168.2.4 which is darson.local so the command line should be like this ?

dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name darson.local or 192.168.2.4

 what if i put the ip instead of darson.local which is 192.168.2.4 ?