Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
2
Replies

URL Filtering on cisco asa

Go to solution
ashish.saxena1
Level 1
Level 1

‎12-22-2016 03:58 AM - edited ‎03-12-2019 01:41 AM

Hi All

I am using Cisco ASA 5520 Adaptive Security Appliance in my network. I am sharing the show inventory of my asa.

ASA-1# show inventory
Name: "Chassis", DESCR: "ASA 5520 Adaptive Security Appliance"
PID: ASA5520 , VID: V06 , SN: JMX1525L0R9

Name: "slot 1", DESCR: "ASA 5500 Series Security Services Module-20"
PID: ASA-SSM-20 , VID: V02 , SN: JAF1523AJKQ

Name: "power supply", DESCR: "ASA/IPS 180W AC Power Supply"
PID: ASA-180W-PWR-AC , VID: V03 , SN: DTN143582J5

I need to block sites on this ASA (e.g. social networking sites etc). Is it possible that I can block the sites. if yes please let me know how it can be done?? 

If no then why??

Please let me know I will be very thankful to you.

Regards

Ashish

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-22-2016 04:37 AM

The legacy ASAs are very limited here. Best is to migrate to a newer ASA -X model with Firepower or a Cisco Meraki MX. There you can filter URLs much more powerful.

On your legacy ASA you can use FQDN-objects:

object network TEST
 fqdn www.example.com
!
access-list INSIDE-IN deny ip any object TEST
access-list INSIDE-IN permit ...

The ASA will now do a DNS lookup and resolve www.example.com. All access to this IP gets denied.

You should be aware that domains on shared hosting can't be denied/allowed individually as one IP hosts often thousands domains.

View solution in original post

0 Helpful

Go to solution
Farhan Mohamed
Cisco Employee
Cisco Employee

‎12-22-2016 01:06 PM

There was a Problem this is earlier in earlier version of ASA....

Try to upgrade your ASA IOS to 8.4.2 version and Update ASDM latest version. And also update CSC-SSM-20 IOS to 6.6.1125.0.

There you have support of HTTPS filtering.

Just go through the release notes of these IOSs for more information.

It is still bug in ASA 5520, which is not supports https filtering with Internet Explorer in Pre-Windows 2003 operating systems.

Later versions of Windows-2003 with browser internet explorer HTTPS filtering working fine.

In above both cases with Firefox browser HTTPS filtering fine.

Rate me if this post helpful..

Thanks,

Farhan

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎12-22-2016 04:37 AM

The legacy ASAs are very limited here. Best is to migrate to a newer ASA -X model with Firepower or a Cisco Meraki MX. There you can filter URLs much more powerful.

On your legacy ASA you can use FQDN-objects:

object network TEST
 fqdn www.example.com
!
access-list INSIDE-IN deny ip any object TEST
access-list INSIDE-IN permit ...

The ASA will now do a DNS lookup and resolve www.example.com. All access to this IP gets denied.

You should be aware that domains on shared hosting can't be denied/allowed individually as one IP hosts often thousands domains.

0 Helpful

Go to solution
Farhan Mohamed
Cisco Employee
Cisco Employee

‎12-22-2016 01:06 PM

There was a Problem this is earlier in earlier version of ASA....

Try to upgrade your ASA IOS to 8.4.2 version and Update ASDM latest version. And also update CSC-SSM-20 IOS to 6.6.1125.0.

There you have support of HTTPS filtering.

Just go through the release notes of these IOSs for more information.

It is still bug in ASA 5520, which is not supports https filtering with Internet Explorer in Pre-Windows 2003 operating systems.

Later versions of Windows-2003 with browser internet explorer HTTPS filtering working fine.

In above both cases with Firefox browser HTTPS filtering fine.

Rate me if this post helpful..

Thanks,

Farhan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card