URL filtering in ASA 5510

Unanswered Question
Jul 10th, 2008
User Badges:

Hi,


i have specific requriment , below is the details which i need to block URL & allow some or url with different Ip's in ASA, this has to be done only through ASA not through any websense or thrid party tools. please let me know any config u know about thye url filtering based on the group of Ip, below is the requriemnt,


> webfilter 1


> allowed everything even those mentioned above the ip series for this


> webfilter can be 10.0.1.50 to 10.0.1.70


>


> webfilter 2


> Common blockage for all webfilters from 2 to 4 ip range 10.0..1.71 to


> 10.0.1.200


> P2p network sites vuze.com,bearshare,limewire,kazza,


> all chats googletalk, rediffbol,indiatimeschat,yahoo messenger, msn


> messenger,skype


> facebook.com, facebook.co.in


> orkut.com, orkut.co.in porn and xxx


> timesjobs.com,monster.com,jobsahead.com,naukri.com


>shaadi.com,bharatmatrimony.com


>


> Webfilter 3 10.0.1.200. to 10.0.1.205


> Jobsites should be allowed


> timesjobs.com, naukri.com



> Webfilter 4 10.0.1.200 to 10.0.1.255


> we should be able to program ourselves but all the above things should be


> lockable as mentioned in webfilter 2



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Thu, 07/17/2008 - 14:16
User Badges:
  • Bronze, 100 points or more

The following are the tasks involved in filtering HTTP URLS:

1)Configuring HTTP Filtering

2)Enabling Filtering of Long HTTP URLs

3)Truncating Long HTTP URLs

4)Exempting Traffic from Filtering



padmanabha.n Thu, 07/17/2008 - 20:45
User Badges:

Hi , I have prepared the config as below, but the inside subnet is only one i.e 10.0.1.1 & in acces list i have subnetd, weather the below access list will work or not with subnet of the ip address , where the inside interface ip is 10.0.1.1/24


one range ip from 10.0.1.240 to 244

access-list HR permit tcp 10.0.1.240 25.255.255.248 220.226.194.11 255.255.255.255

access-list HR permit tcp 10.0.1.240 25.255.255.248 298.64.153.138 255.255.255.255


second range 10.0.1.65 to 128

access-list blockchat deny tcp 10.0.1.65 255.255.255.192 eq 5050 from ip 10.0.1.66 to 10.0.1.127

access-list blockchat deny tcp 10.0.1.65 255.255.255.192 eq 5100

access-list blockchat deny tcp 10.0.1.65 255.255.255.192 eq 5222 (tcp port of google)

access-list blockchat deny tcp 10.0.1.65 255.255.255.192 72.14.253.125 255.255.255.255 (talk.google.com)

access-list blockchat deny tcp 10.0.1.65 255.255.255.192 63.251.133.40 255.255.255.255 (rediff bol)

access-list blockchat deny tcp 10.0.1.65 255.255.255.192 eq 1863


third range 10.0.1.129 to 192

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 eq 5050

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 eq 5100

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 eq 5222 (tcp port of google)

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 72.14.253.125 255.255.255.255 (talk.google.com)

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 63.251.133.40 255.255.255.255 (rediff bol)

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 eq 1863

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 65.74.135.110 255.255.255.255 (msnmessanger)

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 eq 1023 (skype)

access-list blockurl deny tcp 10.0.1.129 255.255.255.192 eq 443



Actions

This Discussion