I am try to follow the article "ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example"to block Youtube.com. The yahoo and myspace are block successfully. However, the Youtube.com still can access. I just double check the code, but did not see any problem. The attachment is the configuration. Please some one can help we with that.
Solved! Go to Solution.
Thanks for your response, I do try to configure FQDN. However, It still no working. The attachment is the full configuration and show command.
I just deleted all you point out the command and just configure one group DefaultDNS. However, the website still can access. By the way, I also move the access-list to 1st position. The attachment is the configuration file.
I just deny all the 80 and 443 port since I didn't find out the way to block some website. Now I try to use the FQDN to permit some website instead. I do follow you suggest, but it still not succeed. The attachment is the configuration and show access-list.
BTW, I was abandoning the Regular Expressions function since it can not working to HTTPS.
Ok, I've a quick test by allowing everything except youtube:
object network Youtube
access-list inside_in extended deny ip any object Youtube
access-list inside_in extended permit ip any any
When I ping a website I get an answer but when I try to access youtube.com I get denied:
Deny icmp src inside:192.168.200.2 dst outside:188.8.131.52(www.youtube.com) (type 8, code 0) by access-group "inside_in" [0xcd241c70, 0xcd241c70]
Then it should work as well on your side. However, the config you attached is for denying everything except youtube.
Does your ASA is able to resolve youtube.com?
Can you paste output of show access-list Test_access_in ?
I did paste output of show access-list Test_access_in in the last e-mail attachment. I just separate it to a new file. The ASA is able to resolve youtube.com you can see it in the show access-list Test_access_in.
Ok, let's do it again.
I was saying, can you go back to your first idea where you wanted to allow everything and deny Youtube?
On one of your previous output, I saw your acl denying youtube hitted by a traffic and it should have worked at that time. Don't know which test are you doing to say that it's not working.
In your actual config, your acl is:
access-list Test_access_in extended deny tcp object Test any eq www access-list Test_access_in extended deny tcp object Test any eq https access-list Test_access_in extended permit object-group TCPUDP object Test object Youtube eq www access-list Test_access_in extended permit tcp object Test object Youtube eq https
The permit Youtube won't be hitted because you have deny statement before that rule that's denying all www and https traffic. Can you mode it at the top to be sure that Youtube will be allowed and others denied?
It should work because when you do sh access-list, we see that ASA is resolving the hostname www.youtube.com
I need to block all the website and open only one website for our customer. Therefore, I can not go back to my first idea. I did try to move the youtube.com rule to the top at the access-list, however, it still can not access the youtube.com. The attachment is the sh access-list.
How you're testing youtube access?
What is IP of your laptop?
There is no way that the rule is not hit by any traffic.
Maybe we can do a webex session but not before January :-) sorry.
The easy way to test is use the computer connect to Test LAN network and open the brows to browsing www.youtube.com. The test computer IP is 10.1.10.63.However, It still not successful to access to youtube.com. All right, We will keep contact, and Happy New Year. Thanks.