Solved: Re: How to block website for perticular users using ASDM 6.0 ?

vinayak · ‎09-16-2010

Hello All,

I am very new in using ASDM. actually i am using ASA 5510 version 8.0 & ASDM version 6.0.

I want to block certian websites on LAN users

For Example:

I am having LAN ips in range 192.168.1.0 /24

i want to permit all website for 192.168.1.2 & 192.168.1.14 users

& Block websites (such as social networking, IM websites etc.) for rest of all users.

Can anyone tell me how to do that using ASDM 6.0 or CLI ??

Any help is greatly helpful ...... Thanks

Jennifer Halim · ‎09-16-2010

Sure..

Here is an example:

object-group network allow-list

network-object host 192.168.1.2

network-object host 192.168.1.14

object-group network block-list

network-object host 192.168.1.5

network-object 192.168.1.32 255.255.255.248

access-list inside_mpc extended deny tcp object-group allow-list any eq 80

access-list inside_mpc extended permit tcp object-group block-list any eq 80

Hope that helps.

View solution in original post

Jennifer Halim · ‎09-16-2010

ASA natively does not have a feature to block particular website. You might need to use Regex via MPF to block website via ASA. Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

To block website natively, you can use CSC module on the ASA, or Ironport web appliance, or ScanSafe web filtering solution in the cloud.

Hope that helps.

vinayak · ‎09-16-2010

Hello,

Thanks for reply. I think this should help me to block website for all users.

But i want to block websites for some users & want to permit all websites for 2 users (as 192.168.1.2 & 1.14).

Then how to do that ?

Jennifer Halim · ‎09-16-2010

From the sample configuration, you can tweak the access-list "inside_mpc" as follows:

access-list inside_mpc extended deny tcp host 192.168.1.2 any eq 80

access-list inside_mpc extended deny tcp host 192.168.1.14 any eq 80

access-list inside_mpc extended permit tcp any any eq 80

The first 2 lines of ACL will prevent 192.168.1.2 and 192.168.1.14 from being blocked towards the URL that you specify later with Regex.

Hope that helps.

vinayak · ‎09-16-2010

Thank you very much.

one last qusetion. Can i create a object group 1 for which i want to permit all traffic & object group 2 for which want to block specific traffic..

is it possible ? if so can you please tell me how to do that ?

Jennifer Halim · ‎09-16-2010

Sure..

Here is an example:

object-group network allow-list

network-object host 192.168.1.2

network-object host 192.168.1.14

object-group network block-list

network-object host 192.168.1.5

network-object 192.168.1.32 255.255.255.248

access-list inside_mpc extended deny tcp object-group allow-list any eq 80

access-list inside_mpc extended permit tcp object-group block-list any eq 80

Hope that helps.

vinayak · ‎09-16-2010

Thank you very much.

I will implement it & reply you back,.

thanks again..

vinayak · ‎09-16-2010

Hello,

Sorry to disturb you again, But can you tell me what is the meaning of the statement..

access-list inside_mpc extended deny tcp 192.168.1.2 any eq www

Jennifer Halim · ‎09-17-2010

Basing it from the sample configuration posted earlier, the following ACL:

access-list inside_mpc extended deny tcp 192.168.1.2 any eq www

means that the user with ip address of 192.168.1.2 will be exempted from being blocked, ie: that user will not be inspected against the MPF rule configured for TCP/80 (HTTP) traffic.

vinayak · ‎09-17-2010

Dear halijenn ,

thanks for help. Its really works..

Thanks...

Jennifer Halim · ‎09-17-2010

Great, thanks for the update. Pls kindly mark the question as answered. Thanks.

vinayak · ‎09-17-2010

ok. thanks