06-01-2011 04:59 AM - edited 03-11-2019 01:40 PM
hi,
we are having 5510 ASA. i tried to block facebook using this asa. the following command where used for blocking it
regex domainlist1 "\.facebook\.com"
access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
access-list inside_mpc extended permit tcp any any eq 443
match regex domainlist1
Class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map httptraffic
match access-list inside_mpc
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainsClass
reset log
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy inside-policy interface inside
but in when this configuration was done it blocked the facebook but there where some https site that is to be accessed from the outside also get blocked. the i remove from line access-list inside_mpc extended permit tcp any any eq 443 from the access list we are able to access the https sites of the company from outside but facebook is not blocked when browsed in https. when facebook is blocked when it is browsed in http.
please advice how to block the https traffic of facebook without affecting the other https traffic.
thanks in advance
regards
Omar Fatah
Solved! Go to Solution.
06-01-2011 10:02 AM
Hi Omar,
The ASA can't do this kind of application layer filtering for HTTPS traffic directly. The reason is the nature of the HTTPS connection. Since the entire application payload is encrypted, the ASA will never be able to see the request header in clear-text to do a regex match. All it sees is an encrypted stream of data.
You would need to force your users through a dedicated proxy server to acheieve what you're looking to do.
Hope that helps.
-Mike
06-08-2011 08:36 AM
I take a different approach, just looking up all of facebooks networks and blocking them. This works for my clients.
names
name 69.171.224.0 facebook_69.171.224.0 description 69-171-224-0 to 69-171-255-255
name 74.119.76.0 facebook_74.119.76.0 description 74-119-76-0 to 74-119-79-255
name 204.15.20.0 facebook_204.15.20.0 description 204-15-20-0 to 204-15-23-255
name 66.220.144.0 facebook_66.220.144.0 description 66-220-144-0 to 66-220-159-255
name 69.63.176.0 facebook_69.63.176.0 description 69-63-176-0 to 69-63-191-255
name 173.252.64.0 facebook_173.252.64.0 description 173-252-64-0 to 173-252-127-255
object-group network facebook
network-object facebook_173.252.64.0 255.255.192.0
network-object facebook_204.15.20.0 255.255.252.0
network-object facebook_66.220.144.0 255.255.240.0
network-object facebook_69.171.224.0 255.255.224.0
network-object facebook_69.63.176.0 255.255.240.0
network-object facebook_74.119.76.0 255.255.252.0
access-list inside_in extended deny ip any object-group facebook log
06-01-2011 10:02 AM
Hi Omar,
The ASA can't do this kind of application layer filtering for HTTPS traffic directly. The reason is the nature of the HTTPS connection. Since the entire application payload is encrypted, the ASA will never be able to see the request header in clear-text to do a regex match. All it sees is an encrypted stream of data.
You would need to force your users through a dedicated proxy server to acheieve what you're looking to do.
Hope that helps.
-Mike
06-02-2011 04:16 AM
Hi Mike,
Thank you for comment on the post. So i have to go for the proxy to block facebook.
Thank you
Regards
Omar Fatah
06-02-2011 04:16 AM
Hi Mike,
Thank you for comment on the post. So i have to go for the proxy to block facebook.
Thank you
Regards
Omar Fatah
06-06-2011 01:40 PM
While the ASA can't inspect/block HTTPS traffic, if you think about it another way you can avoid having to run a full proxy server...
Just block facebook.com from resolving via DNS, then nobody can reach it, some options to do that...
- create a HOSTS file on each machine, see: http://cariblogger.com/how-to-block-facebook-using-hosts-file
- create a dummy zone for facebook.com in your local dns server
- use a DNS server that is designed to work as a filter, see: http://www.dnsredirector.com
- use a DNS service that allows you to configure blocks, see http://www.opendns.com
06-08-2011 08:36 AM
I take a different approach, just looking up all of facebooks networks and blocking them. This works for my clients.
names
name 69.171.224.0 facebook_69.171.224.0 description 69-171-224-0 to 69-171-255-255
name 74.119.76.0 facebook_74.119.76.0 description 74-119-76-0 to 74-119-79-255
name 204.15.20.0 facebook_204.15.20.0 description 204-15-20-0 to 204-15-23-255
name 66.220.144.0 facebook_66.220.144.0 description 66-220-144-0 to 66-220-159-255
name 69.63.176.0 facebook_69.63.176.0 description 69-63-176-0 to 69-63-191-255
name 173.252.64.0 facebook_173.252.64.0 description 173-252-64-0 to 173-252-127-255
object-group network facebook
network-object facebook_173.252.64.0 255.255.192.0
network-object facebook_204.15.20.0 255.255.252.0
network-object facebook_66.220.144.0 255.255.240.0
network-object facebook_69.171.224.0 255.255.224.0
network-object facebook_69.63.176.0 255.255.240.0
network-object facebook_74.119.76.0 255.255.252.0
access-list inside_in extended deny ip any object-group facebook log
06-09-2011 03:10 AM
Hi Icaruso,
06-09-2011 06:57 AM
Omar, you are welcome. Glad it worked for you.
01-16-2019 10:33 PM
Thanks it is working for me also
03-12-2012 12:45 PM
Hello I caruso:
I made the input on my ASA 5510 and does not worked, any sugestion?
names
name 74.119.76.0 facebook_74.119.76.0 description 74-119-76-0 to 74-119-79-255
name 204.15.20.0 facebook_204.15.20.0 description 204-15-20-0 to 204-15-23-255
name 66.220.144.0 facebook_66.220.144.0 description 66-220-144-0 to 66-220-159-255
name 69.63.176.0 facebook_69.63.176.0 description 69-63-176-0 to 69-63-191-255
name 173.252.64.0 facebook_173.252.64.0 description 173-252-64-0 to 173-252-127-255
object-group network facebook
network-object facebook_173.252.64.0 255.255.192.0
network-object facebook_204.15.20.0 255.255.252.0
network-object facebook_66.220.144.0 255.255.240.0
network-object facebook_69.63.176.0 255.255.240.0
network-object facebook_74.119.76.0 255.255.252.0
03-12-2012 02:23 PM
Hi,
Make sure you add the access list
access-list inside_in extended deny ip any object-group facebook log
And the access group
access-group inside_in in interface inside
03-12-2012 03:34 PM
Hi Dear:
I made the input for the last statement code:
access-group inside_in in interface inside
An d old my Internet connection went down.
Did you know why? Below is the current config of my ASA.
names
name 69.171.224.0 facebook_69.171.224.0 description 69-171-224-0 to
69-171-255-255
name 74.119.76.0 facebook_74.119.76.0 description 74-119-76-0 to
74-119-79-255
name 204.15.20.0 facebook_204.15.20.0 description 204-15-20-0 to
204-15-23-255
name 66.220.144.0 facebook_66.220.144.0 description 66-220-144-0 to
66-220-159-255
name 69.63.176.0 facebook_69.63.176.0 description 69-63-176-0 to
69-63-191-255
name 173.252.64.0 facebook_173.252.64.0 description 173-252-64-0 to
173-252-127-255
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.254.0.2 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.32.0.6 255.224.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
regex domainlist1 "\.facebook\.com"
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name asa.irwinresearch.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host 208.252.80.226
network-object host 66.18.157.129
object-group service Exchange_ports tcp
port-object eq 995
port-object eq https
port-object eq imap4
port-object eq smtp
object-group network facebook
network-object facebook_69.171.224.0 255.255.224.0
network-object facebook_173.252.64.0 255.255.192.0
network-object facebook_204.15.20.0 255.255.252.0
network-object facebook_66.220.144.0 255.255.240.0
network-object facebook_69.63.176.0 255.255.240.0
network-object facebook_74.119.76.0 255.255.252.0
access-list outside_access_in remark AutoScript
access-list outside_access_in extended permit ip object-group
DM_INLINE_NETWORK_1 host 10.32.4.3
access-list outside_access_in remark Access to Exchange
access-list outside_access_in extended permit tcp any host 10.32.5.50
object-group Exchange_ports
access-list outside_access_in extended permit tcp any host 10.32.5.55 eq
smtp
access-list outside_access_in extended deny ip any any
access-list IRADVPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip any 10.64.0.0
255.255.255.0
access-list inside_in extended deny ip any object-group facebook log
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging asdm-buffer-size 256
logging buffered debugging
logging trap informational
logging asdm informational
logging mail errors
mtu outside 1500
mtu inside 1500
ip local pool IRADVPNPOOL 10.64.0.2-10.64.0.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.254.0.0 255.255.255.0 outside
icmp permit any inside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.254.0.1 1
route inside 10.96.0.0 255.224.0.0 10.96.0.4 1
route inside 192.168.100.0 255.255.255.0 10.32.0.244 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 imp 0:00:02
timeout snuck 0:10:00 h323 0:05:00 h225 1:00:00 mgs 0:05:00 mgs-pat 0:05:00
timeout sip 0:30:00 sip media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 oath 0:05:00 absolute
acai authentication serial console LOCAL
acai authentication sash console LOCAL
acai authentication enable console LOCAL
acai authentication telnet console LOCAL
acai authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.32.0.0 255.224.0.0 inside
no snap-server location
no snap-server contact
snap-server enable traps snap authentication linkup link down cold start
crypto IPsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.32.0.0 255.224.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.32.12.1-10.32.12.254 inside
dhcpd dns 10.32.0.99 10.32.0.104 interface inside
dhcpd wins 10.32.0.99 10.32.0.104 interface inside
dhcpd domain irwinresearch.com interface inside
!
group-policy IRADVPN internal
group-policy IRADVPN attributes
wins-server value 10.32.0.99 10.32.0.104
dns-server value 10.32.0.104 10.32.0.99
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IRADVPN_splitTunnelAcl
default-domain value irwinresearch.com
tunnel-group IRADVPN type ipsec-ra
tunnel-group IRADVPN general-attributes
address-pool IRADVPNPOOL
default-group-policy IRADVPN
tunnel-group IRADVPN ipsec-attributes
pre-shared-key *
!
class-map type regex match-any DomainBlockList
match regex domainlist1
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5844a099b59423e040719e10b5613861
ASA#
Thanks:
Jorge Barahona
Irwin Research and Dev.
IT Management
509-4941424
Yakima,WA
98902
03-12-2012 07:44 PM
Hi,
Traffic stopped because you need a default permit any statement for the inside. Use these together in this order.
access-list inside_in extended deny ip any object-group facebook log
access-list inside_in extended permit ip any any log
03-13-2012 08:37 AM
Thanks so much Icarruso
It worked!
So smart way to fix the issue.
Cheers for you.
02-16-2016 10:45 AM
hello
that want work now
as facebook is using https:. just like Mike says
maybe just some some facebook ip addr and drop just, but they made change or add more ip addrs (;
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide