Thanks Jay is your solution preferable to the following method provide by Chris C?

Please see the link below.  It describes how to filter out certain websites but if you use No Match when creating the HTTP Class Maps you get the opposite effect, all websites are filtered except the ones you list.  You should be able to look at your production ASA if you need to see how it’s setup.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

To undo filtering and set everything open temporarly just

go to Configuration -> Firewall -> Service Policy Rules,  just uncheck the Enabled boxes for the httptraffic rule.  That will open it wide again. 

Also, this is just filtering ports 80 and 8080, so any other ports are still open.

Your method, and this one are the only two I hvae been able to get? I need to start imppamenting a solution soon. I am hoping to block out all traffic but that allowed through. This second solution only filters via ports 80 and 8080 it does not look at other ports.

thanks

Jason

Message was edited by: jason browne

Jason,

     The two approaches really do different things. If your goal is to control what URLs and servers certain users can access, then a more robust solution using an external URL server might be a better solution:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_filter.html#wp1045692

That being said, if you're only looking to control access for a specific host, then configuring HTTP application inspection on the ASA and applying it just to traffic sourced from that server should work ok. You can limit the specific URLs that the client can send traffic to.

More examples can be found here:

https://supportforums.cisco.com/docs/DOC-1268

i was just checking to see if you had any more suggestions, after examining the other suggestions, that people have gave me, and I have posted?

Jay Johnston

I have included the answers and communication i have received from linked in. Do you have any further suggestions or answers on how i can secure my new work allowing only my workstations and servers acces to outside recources such as nist etc based on domain names as apposed to ip address/ranges.

thanks

Jason

I'm not a Cisco ASA expert but.. I'm thinking you could either
a) allow all outbound traffic over a certain port (443) so that such communication can be started (the WSUS should be starting the SSL channel outbound anyway with windows update) OR
b) allow all traffic on port 443 to the WSUS Server IP?

This just might be simpler.

Another way as Randy suggested is to move the WSUS out of policy or into a DMZ, allowing it to communicate more freely while maintaining protection within your network.

If you need more help, let me know.

Hi Jason,

I don't think you understand how NAT and TCP/UDP/ICMP work. Nothing (NOTHING!) can open an inbound connection to a server without an active NAT policy, regardless of whether or not a security policy exist.

I've been configuring routers and firewall for 25 years, CISSP certified, and other stuff I won't bore you with. Users shouldn't be on you servers, so it doesn't matter what policies apply to them.

Perhaps I don't understand your enviroment - but if all the other security is right, you are spending energy on nothing.

Randy