12-22-2016 03:58 AM - edited 03-12-2019 01:41 AM
Hi All
I am using Cisco ASA 5520 Adaptive Security Appliance in my network. I am sharing the show inventory of my asa.
ASA-1# show inventory
Name: "Chassis", DESCR: "ASA 5520 Adaptive Security Appliance"
PID: ASA5520 , VID: V06 , SN: JMX1525L0R9
Name: "slot 1", DESCR: "ASA 5500 Series Security Services Module-20"
PID: ASA-SSM-20 , VID: V02 , SN: JAF1523AJKQ
Name: "power supply", DESCR: "ASA/IPS 180W AC Power Supply"
PID: ASA-180W-PWR-AC , VID: V03 , SN: DTN143582J5
I need to block sites on this ASA (e.g. social networking sites etc). Is it possible that I can block the sites. if yes please let me know how it can be done??
If no then why??
Please let me know I will be very thankful to you.
Regards
Ashish
Solved! Go to Solution.
12-22-2016 04:37 AM
The legacy ASAs are very limited here. Best is to migrate to a newer ASA -X model with Firepower or a Cisco Meraki MX. There you can filter URLs much more powerful.
On your legacy ASA you can use FQDN-objects:
object network TEST
fqdn www.example.com
!
access-list INSIDE-IN deny ip any object TEST
access-list INSIDE-IN permit ...
The ASA will now do a DNS lookup and resolve www.example.com. All access to this IP gets denied.
You should be aware that domains on shared hosting can't be denied/allowed individually as one IP hosts often thousands domains.
12-22-2016 01:06 PM
There was a Problem this is earlier in earlier version of ASA....
Try to upgrade your ASA IOS to 8.4.2 version and Update ASDM latest version. And also update CSC-SSM-20 IOS to 6.6.1125.0.
There you have support of HTTPS filtering.
Just go through the release notes of these IOSs for more information.
It is still bug in ASA 5520, which is not supports https filtering with Internet Explorer in Pre-Windows 2003 operating systems.
Later versions of Windows-2003 with browser internet explorer HTTPS filtering working fine.
In above both cases with Firefox browser HTTPS filtering fine.
Rate me if this post helpful..
Thanks,
Farhan
12-22-2016 04:37 AM
The legacy ASAs are very limited here. Best is to migrate to a newer ASA -X model with Firepower or a Cisco Meraki MX. There you can filter URLs much more powerful.
On your legacy ASA you can use FQDN-objects:
object network TEST
fqdn www.example.com
!
access-list INSIDE-IN deny ip any object TEST
access-list INSIDE-IN permit ...
The ASA will now do a DNS lookup and resolve www.example.com. All access to this IP gets denied.
You should be aware that domains on shared hosting can't be denied/allowed individually as one IP hosts often thousands domains.
12-22-2016 01:06 PM
There was a Problem this is earlier in earlier version of ASA....
Try to upgrade your ASA IOS to 8.4.2 version and Update ASDM latest version. And also update CSC-SSM-20 IOS to 6.6.1125.0.
There you have support of HTTPS filtering.
Just go through the release notes of these IOSs for more information.
It is still bug in ASA 5520, which is not supports https filtering with Internet Explorer in Pre-Windows 2003 operating systems.
Later versions of Windows-2003 with browser internet explorer HTTPS filtering working fine.
In above both cases with Firefox browser HTTPS filtering fine.
Rate me if this post helpful..
Thanks,
Farhan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: