cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2433
Views
4
Helpful
11
Replies

How to block website for perticular users using ASDM 6.0 ?

vinayak
Level 1
Level 1

Hello All,

I am very new in using ASDM. actually i am using ASA 5510 version 8.0 & ASDM version 6.0.

I want to block certian websites on LAN users

For Example:

I am having LAN ips in range 192.168.1.0 /24

i want to permit all website for 192.168.1.2 & 192.168.1.14 users

& Block websites (such as social networking, IM websites etc.) for rest of all users.

Can anyone tell me how to do that using ASDM 6.0 or CLI ??

Any help is greatly helpful ......  Thanks

1 Accepted Solution

Accepted Solutions

Sure..

Here is an example:

object-group network allow-list

     network-object host 192.168.1.2

     network-object host 192.168.1.14

object-group network block-list

     network-object host 192.168.1.5

     network-object 192.168.1.32 255.255.255.248

access-list inside_mpc extended deny tcp object-group allow-list any eq 80

access-list inside_mpc extended permit tcp object-group block-list any eq 80

Hope that helps.

View solution in original post

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

ASA natively does not have a feature to block particular website. You might need to use Regex via MPF to block website via ASA. Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

To block website natively, you can use CSC module on the ASA, or Ironport web appliance, or ScanSafe web filtering solution in the cloud.

Hope that helps.

Hello,

Thanks for reply. I think this should help me to block website for all users.

But i want to block websites for some users & want to permit all websites for 2 users (as 192.168.1.2 & 1.14).

Then how to do that ?

From the sample configuration, you can tweak the access-list "inside_mpc" as follows:

access-list inside_mpc extended deny tcp host 192.168.1.2 any eq 80

access-list inside_mpc extended deny tcp host 192.168.1.14 any eq 80

access-list inside_mpc extended permit tcp any any eq 80

The first 2 lines of ACL will prevent 192.168.1.2 and 192.168.1.14 from being blocked towards the URL that you specify later with Regex.

Hope that helps.

Thank you very much.

one last qusetion. Can i create a object group 1 for which i want to permit all traffic & object group 2 for which want to block specific traffic..

is it possible ? if so can you please tell me how to do that ?

Sure..

Here is an example:

object-group network allow-list

     network-object host 192.168.1.2

     network-object host 192.168.1.14

object-group network block-list

     network-object host 192.168.1.5

     network-object 192.168.1.32 255.255.255.248

access-list inside_mpc extended deny tcp object-group allow-list any eq 80

access-list inside_mpc extended permit tcp object-group block-list any eq 80

Hope that helps.

Thank you very much.

I will implement it & reply you back,.

thanks again..

Hello,

Sorry to disturb you again, But can you tell me what is the meaning of the statement..

access-list inside_mpc extended deny tcp 192.168.1.2 any eq www

Basing it from the sample configuration posted earlier, the following ACL:

access-list inside_mpc extended deny tcp 192.168.1.2 any eq www

means that the user with ip address of 192.168.1.2 will be exempted from being blocked, ie: that user will not be inspected against the MPF rule configured for TCP/80 (HTTP) traffic.

Dear halijenn ,

thanks for help. Its really works..

Thanks...

Great, thanks for the update. Pls kindly mark the question as answered. Thanks.

ok. thanks

Review Cisco Networking for a $25 gift card