URl Blocking (Facebook.com) on Cisco ASA by Using Object ACL

Ali Haider · ‎05-12-2015

Hello Team,

I am trying to block the URL like facebook.com on the ASA, i used the mentioned of object ACL by using FQDN name as object. It is resolving the DNS name perfectly so i can have all the IPs of facebook.co,.

i configure the following ACL which can only block the layer 3 communication based on the IP, and when i ping from the PC to "ping facebook.com" it is blocked on the firewall and i can see the hit count on the ACL which is fair enough .

access-list INSIDE_IN line 2 extended deny ip host 10.1.1.9 object-group Blocked-URL log

The problem is i configured the same below ACL just to block the https, some of the websites it is blocking but facebook.com is still working. Some time it blocked but mostly it would not.

access-list INSIDE_IN line 3 extended deny tcp host 10.1.1.1 object-group Blocked-URL eq https log

Can anyone help me to sort out what exactly problem is, i am using 8.4(2) version.

If there is any other way to do it let me know

Ali Haider · ‎05-12-2015

Dear All,

Just an update, i can successfully blocked the Https sites like yahoo, twitter, youtube with the following access list.

access-list INSIDE_IN line 3 extended deny tcp host 10.x.x.x object-group Blocked-URL eq https

but facebook and instagram, un-able to block it. Even the IP is correct for the websites getting through DNS. I can block the ping for facebook and even all websites but not the https.

Waiting if anyone can help me

access-list INSIDE_IN line 3 extended deny tcp host 10.1.1.1 object-group Blocked-URL eq https log - See more at: https://supportforums.cisco.com/discussion/12505326/url-blocking-facebookcom-cisco-asa-using-object-acl#sthash.FvY5t4V1.dpuf

fatalXerror · ‎05-13-2015

Hi Ali,

Based on your configs, that should work already.

Can you try to erase the cache of your browser then try it again?

Thanks.

Ali Haider · ‎05-13-2015

Dear Nikko,

Thank you very much for your valuable input, i was skipping this point while testing it. It worked but instagram.com still its not blocked even after clear the cache. For the rest of the URls i can see the ACL hitcount is increasing and also blocking the websites.

But this leads me to another finding which is, if i access the URL directly from the browser it blocked, means open a browser and type https://facebook.com.

If i go first on the google.com and search facebook.com and then click on the link then it again worked, it means when i initiate the session directly from my PC to the blocked URL it blocked but when i initiate it to any other web and then try to open blocked URL (https only) it open.

But this behaviour is not true for the http website, http website is blocked by any mean to access it either directly or through the search engine.

NOTE: for the above finding i can conclude that directly https:facebook.com is blocked because it is just blocking based on the IP resolved by DNS but when i access the same web through https://google.com it bypass the ACL because it is going as encrypted in https?

NOTE: I am

fatalXerror · ‎05-13-2015

Hi Ali,

Good day!

Thanks for sharing your findings and that's a bit strange behavior of the ASA. I think you need to try using the CX function if you have because it can also have URL filtering capabilities.

Thank you.

Ali Haider · ‎05-14-2015

Hi,

Unfortunately we dont have CX, but i dont want to inspect the payload. just trying to get L4 blocked. Only the difference between the traditional ACL and the ACL i am using it with FQDN.

Ali Haider · ‎05-14-2015

Hi,

Just to addition to my above email can you please give me any link for CX module supported in ASA5580?

fatalXerror · ‎05-18-2015

Hi Ali, you can try to check the link below.

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Thanks.