cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25103
Views
5
Helpful
14
Replies

how to block facebook using ASA

Omar Fatah
Level 1
Level 1

hi,

we are having 5510 ASA.  i tried to block facebook using this asa. the following command where used for blocking it

regex domainlist1 "\.facebook\.com"

access-list inside_mpc extended permit tcp any any eq www

access-list inside_mpc extended permit tcp any any eq 8080
access-list inside_mpc extended permit tcp any any eq 443

match regex domainlist1

Class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map httptraffic
match access-list inside_mpc

policy-map type inspect http http_inspection_policy
parameters
  protocol-violation action drop-connection
  match request method connect
  drop-connection log
class BlockDomainsClass
  reset log

policy-map inside-policy
class httptraffic
  inspect http http_inspection_policy


service-policy inside-policy interface inside

but in when this configuration was done it blocked the facebook but there where some https site that is to be accessed from the outside also get blocked. the i remove from line access-list inside_mpc extended permit tcp any any eq 443 from the access list we are able to access the https sites of the company from outside but facebook is not blocked when browsed in https. when facebook is blocked when it is browsed in http.

please advice how to block the https traffic of facebook without affecting the other https traffic.

thanks in advance

regards

Omar Fatah

2 Accepted Solutions

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hi Omar,

The ASA can't do this kind of application layer filtering for HTTPS traffic directly. The reason is the nature of the HTTPS connection. Since the entire application payload is encrypted, the ASA will never be able to see the request header in clear-text to do a regex match. All it sees is an encrypted stream of data.

You would need to force your users through a dedicated proxy server to acheieve what you're looking to do.

Hope that helps.

-Mike

View solution in original post

I take a different approach, just looking up all of facebooks networks and blocking them. This works for my clients.

names

name 69.171.224.0 facebook_69.171.224.0 description 69-171-224-0 to 69-171-255-255

name 74.119.76.0 facebook_74.119.76.0 description 74-119-76-0 to 74-119-79-255

name 204.15.20.0 facebook_204.15.20.0 description 204-15-20-0 to 204-15-23-255

name 66.220.144.0 facebook_66.220.144.0 description 66-220-144-0 to 66-220-159-255

name 69.63.176.0 facebook_69.63.176.0 description 69-63-176-0 to 69-63-191-255

name 173.252.64.0 facebook_173.252.64.0 description 173-252-64-0 to 173-252-127-255

object-group network facebook

network-object facebook_173.252.64.0 255.255.192.0

network-object facebook_204.15.20.0 255.255.252.0

network-object facebook_66.220.144.0 255.255.240.0

network-object facebook_69.171.224.0 255.255.224.0

network-object facebook_69.63.176.0 255.255.240.0

network-object facebook_74.119.76.0 255.255.252.0

access-list inside_in extended deny ip any object-group facebook log

View solution in original post

14 Replies 14

mirober2
Cisco Employee
Cisco Employee

Hi Omar,

The ASA can't do this kind of application layer filtering for HTTPS traffic directly. The reason is the nature of the HTTPS connection. Since the entire application payload is encrypted, the ASA will never be able to see the request header in clear-text to do a regex match. All it sees is an encrypted stream of data.

You would need to force your users through a dedicated proxy server to acheieve what you're looking to do.

Hope that helps.

-Mike

Hi Mike,

Thank you for comment on the post. So i have to go for the proxy to block facebook.

Thank you

Regards

Omar Fatah

Hi Mike,

Thank you for comment on the post. So i have to go for the proxy to block facebook.

Thank you

Regards

Omar Fatah

While the ASA can't inspect/block HTTPS traffic, if you think about it another way you can avoid having to run a full proxy server...

Just block facebook.com from resolving via DNS, then nobody can reach it, some options to do that...

- create a HOSTS file on each machine, see: http://cariblogger.com/how-to-block-facebook-using-hosts-file

- create a dummy zone for facebook.com in your local dns server

- use a DNS server that is designed to work as a filter, see: http://www.dnsredirector.com

- use a DNS service that allows you to configure blocks, see http://www.opendns.com

I take a different approach, just looking up all of facebooks networks and blocking them. This works for my clients.

names

name 69.171.224.0 facebook_69.171.224.0 description 69-171-224-0 to 69-171-255-255

name 74.119.76.0 facebook_74.119.76.0 description 74-119-76-0 to 74-119-79-255

name 204.15.20.0 facebook_204.15.20.0 description 204-15-20-0 to 204-15-23-255

name 66.220.144.0 facebook_66.220.144.0 description 66-220-144-0 to 66-220-159-255

name 69.63.176.0 facebook_69.63.176.0 description 69-63-176-0 to 69-63-191-255

name 173.252.64.0 facebook_173.252.64.0 description 173-252-64-0 to 173-252-127-255

object-group network facebook

network-object facebook_173.252.64.0 255.255.192.0

network-object facebook_204.15.20.0 255.255.252.0

network-object facebook_66.220.144.0 255.255.240.0

network-object facebook_69.171.224.0 255.255.224.0

network-object facebook_69.63.176.0 255.255.240.0

network-object facebook_74.119.76.0 255.255.252.0

access-list inside_in extended deny ip any object-group facebook log

Hi Icaruso,

Thank you very much for the post. It worked for me also.
It worked for me with out affecting any of the internal sites....
Anyway i recommend this method for blocking facebook if you are using ASA for the same.
Regards
Omar Fatah

Omar, you are welcome. Glad it worked for you.

Thanks it is working for me also 

jbarahona
Level 1
Level 1

Hello I caruso:

I made the input on my ASA 5510 and does not worked, any sugestion?

names


name 74.119.76.0 facebook_74.119.76.0 description 74-119-76-0 to 74-119-79-255

name 204.15.20.0 facebook_204.15.20.0 description 204-15-20-0 to 204-15-23-255

name 66.220.144.0 facebook_66.220.144.0 description 66-220-144-0 to 66-220-159-255

name 69.63.176.0 facebook_69.63.176.0 description 69-63-176-0 to 69-63-191-255

name 173.252.64.0 facebook_173.252.64.0 description 173-252-64-0 to 173-252-127-255

object-group network facebook

network-object facebook_173.252.64.0 255.255.192.0

network-object facebook_204.15.20.0 255.255.252.0

network-object facebook_66.220.144.0 255.255.240.0

network-object facebook_69.63.176.0 255.255.240.0

network-object facebook_74.119.76.0 255.255.252.0

Hi,

Make sure you add the access list

access-list inside_in extended deny ip any object-group facebook log

And the access group

access-group inside_in in interface inside

Hi Dear:

I made the input for the last statement code:

access-group inside_in in interface inside

An d old my Internet connection went down.

Did you know why? Below is the current config of my ASA.

names

name 69.171.224.0 facebook_69.171.224.0 description 69-171-224-0 to

69-171-255-255

name 74.119.76.0 facebook_74.119.76.0 description 74-119-76-0 to

74-119-79-255

name 204.15.20.0 facebook_204.15.20.0 description 204-15-20-0 to

204-15-23-255

name 66.220.144.0 facebook_66.220.144.0 description 66-220-144-0 to

66-220-159-255

name 69.63.176.0 facebook_69.63.176.0 description 69-63-176-0 to

69-63-191-255

name 173.252.64.0 facebook_173.252.64.0 description 173-252-64-0 to

173-252-127-255

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.254.0.2 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.32.0.6 255.224.0.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

regex domainlist1 "\.facebook\.com"

boot system disk0:/asa724-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name asa.irwinresearch.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object host 208.252.80.226

network-object host 66.18.157.129

object-group service Exchange_ports tcp

port-object eq 995

port-object eq https

port-object eq imap4

port-object eq smtp

object-group network facebook

network-object facebook_69.171.224.0 255.255.224.0

network-object facebook_173.252.64.0 255.255.192.0

network-object facebook_204.15.20.0 255.255.252.0

network-object facebook_66.220.144.0 255.255.240.0

network-object facebook_69.63.176.0 255.255.240.0

network-object facebook_74.119.76.0 255.255.252.0

access-list outside_access_in remark AutoScript

access-list outside_access_in extended permit ip object-group

DM_INLINE_NETWORK_1 host 10.32.4.3

access-list outside_access_in remark Access to Exchange

access-list outside_access_in extended permit tcp any host 10.32.5.50

object-group Exchange_ports

access-list outside_access_in extended permit tcp any host 10.32.5.55 eq

smtp

access-list outside_access_in extended deny ip any any

access-list IRADVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip any 10.64.0.0

255.255.255.0

access-list inside_in extended deny ip any object-group facebook log

pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging asdm-buffer-size 256

logging buffered debugging

logging trap informational

logging asdm informational

logging mail errors

mtu outside 1500

mtu inside 1500

ip local pool IRADVPNPOOL 10.64.0.2-10.64.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit 10.254.0.0 255.255.255.0 outside

icmp permit any inside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.254.0.1 1

route inside 10.96.0.0 255.224.0.0 10.96.0.4 1

route inside 192.168.100.0 255.255.255.0 10.32.0.244 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 imp 0:00:02

timeout snuck 0:10:00 h323 0:05:00 h225 1:00:00 mgs 0:05:00 mgs-pat 0:05:00

timeout sip 0:30:00 sip media 0:02:00 sip-invite 0:03:00 sip-disconnect

0:02:00

timeout sip-provisional-media 0:02:00 oath 0:05:00 absolute

acai authentication serial console LOCAL

acai authentication sash console LOCAL

acai authentication enable console LOCAL

acai authentication telnet console LOCAL

acai authentication http console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.32.0.0 255.224.0.0 inside

no snap-server location

no snap-server contact

snap-server enable traps snap authentication linkup link down cold start

crypto IPsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 10.32.0.0 255.224.0.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.32.12.1-10.32.12.254 inside

dhcpd dns 10.32.0.99 10.32.0.104 interface inside

dhcpd wins 10.32.0.99 10.32.0.104 interface inside

dhcpd domain irwinresearch.com interface inside

!

group-policy IRADVPN internal

group-policy IRADVPN attributes

wins-server value 10.32.0.99 10.32.0.104

dns-server value 10.32.0.104 10.32.0.99

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value IRADVPN_splitTunnelAcl

default-domain value irwinresearch.com

tunnel-group IRADVPN type ipsec-ra

tunnel-group IRADVPN general-attributes

address-pool IRADVPNPOOL

default-group-policy IRADVPN

tunnel-group IRADVPN ipsec-attributes

pre-shared-key *

!

class-map type regex match-any DomainBlockList

match regex domainlist1

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:5844a099b59423e040719e10b5613861

ASA#

Thanks:

Jorge Barahona

Irwin Research and Dev.

IT Management

509-4941424

Yakima,WA

98902

Hi,

Traffic stopped because you need a default permit any statement for the inside. Use these together in this order.

access-list inside_in extended deny ip any object-group facebook log

access-list inside_in extended permit ip any any log

Thanks so much Icarruso

It worked!

So smart way to fix the issue.

Cheers for you.

walter baziuk
Level 5
Level 5

hello

that want work now

as facebook is using https:. just like Mike says

maybe just some some facebook ip addr and drop just, but they made change  or add more ip addrs (;

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: