Hi ,

I have an ASA5516-x which I need to block access to some websites without having to buy additional licenses.

I was trying to block google as well as facebook using access-lists

The configuration that was added to the firewall is the following :

dns domain-lookup OUTSIDE

DNS server-group DefaultDNS

name-server 4.2.2.2

name-server 8.8.8.8

name-server 8.8.4.4

object network OBJ-GOOGLE.COM

fqdn google.com

object network OBJ-FB.COM

fqdn facebook.com

access-list ACL-BLK-GG extended deny tcp  any object OBJ-GOOGLE.COM eq https access-list ACL-BLK-GG extended deny tcp  any object OBJ-GOOGLE.COM eq http access-list ACL-BLK-GG extended deny ip any object OBJ-GOOGLE.COM

access-group ACL-BLK-GG in interface inside

access-list ACL-BLK-FB extended deny tcp  any object OBJ-FB.COM eq https access-list ACL-BLK-FB extended deny tcp  any object OBJ-FB.COM eq http access-list ACL-BLK-FB extended deny ip any object OBJ-FB.COM

access-group ACL-BLK-FB in interface inside

I noticed that the firewall is only taking into consideration the first IP address he resolves using DNS and blocks it.

Is there a way the we could let the firewall make a resolution for all IP addresses that are being used now by facebook/google with some TTL.

regards