Access only few Internet websites URL

Answered Question
Aug 2nd, 2008

Hi, I want to block the usage of internet for Inside users except few websites. Please advice.

The QA testing team test some application by connecting remote servers which is connected by STS Tunnel. And I have opened IP protocol between both Sites and they test the application which is using a port 80. Here, I would say that the network must not be blocked if we make any rule for Inside Users.

I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 8 years 4 months ago

Vinay

u can block and make filtering on the application layer through MPF as with Rate limiting

but this gonna be a bit more comlicated as u have to make some regular expretion and more class-maps

i will guid u through it bellow:

first u wanna allow only the spesified websites and any other websites will be blocked!

lets say u gonna allow youtube.com and yahoo.com and any other websites should be blcked

first creat regular expretion to match those URLS

regex URLLIST1 "\.yahoo\.com"

regex URLLIST2 "\.youtube\.com"

then creat ACL matching web traffic

access-list 101 permit ip any any eq www

access-list 101 permit ip any any eq https

access-list 101 permit ip any any eq 8080

class-map web-traffic

match access-list 101

creat class-map for the regex created above(URLLIST)

class-map type regex match-any allowed-sites

match regex URLLIST1

match regex URLLIST2

now creat inspection class map for web traffic matched with class above

class-map type inspect http match-all blocking-urls

match not request header host regex class allowed-sites

notce there is not in the comman here this mean match any thing except the urls we have match above

so we are exculding the match URLs and bellow we gonna mak a policy and the action we gona tak is drop

creat http inspection policy

policy-map type inspect http block_URLS

class blocking-urls

reset log

now if u look above we creat ACL 101 that match web traffic and match with class-map called webtraffic

now we gonna apply the above http inspection policy to that traffic

policy-map inside-policy

class webtraffic

inspect http block_URLS

now apply it to ur inside interface

service-policy inside-policy interface inside

good luck

please, rate if helpful

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Marwan ALshawi Sun, 08/03/2008 - 07:14

Vinay

u can block and make filtering on the application layer through MPF as with Rate limiting

but this gonna be a bit more comlicated as u have to make some regular expretion and more class-maps

i will guid u through it bellow:

first u wanna allow only the spesified websites and any other websites will be blocked!

lets say u gonna allow youtube.com and yahoo.com and any other websites should be blcked

first creat regular expretion to match those URLS

regex URLLIST1 "\.yahoo\.com"

regex URLLIST2 "\.youtube\.com"

then creat ACL matching web traffic

access-list 101 permit ip any any eq www

access-list 101 permit ip any any eq https

access-list 101 permit ip any any eq 8080

class-map web-traffic

match access-list 101

creat class-map for the regex created above(URLLIST)

class-map type regex match-any allowed-sites

match regex URLLIST1

match regex URLLIST2

now creat inspection class map for web traffic matched with class above

class-map type inspect http match-all blocking-urls

match not request header host regex class allowed-sites

notce there is not in the comman here this mean match any thing except the urls we have match above

so we are exculding the match URLs and bellow we gonna mak a policy and the action we gona tak is drop

creat http inspection policy

policy-map type inspect http block_URLS

class blocking-urls

reset log

now if u look above we creat ACL 101 that match web traffic and match with class-map called webtraffic

now we gonna apply the above http inspection policy to that traffic

policy-map inside-policy

class webtraffic

inspect http block_URLS

now apply it to ur inside interface

service-policy inside-policy interface inside

good luck

please, rate if helpful

Marwan ALshawi Sun, 08/03/2008 - 18:21

i think the config that i have sent do exactly the same thing in those files

anyway good luck

nikuhappy2010 Sun, 08/03/2008 - 20:46

Hi, I have installed a proxy server and blocked all inside traffic (Inbound) and exempt tunnel traffic as well in inside access list and its working fine. Now I want that all inside users mail, IM,(For all users) Yahoo Messanger (Selected Machines) traffic to be allow from inside to outside. Mail Smtp port is 995 and Pop3 port is 465 and both are using SSL. Please suggest what do i need to do for the same. Please post an example, if possible. Thanks

nikuhappy2010 Mon, 08/04/2008 - 02:05

Hi, Thanks for the above links....But my query was for allowing the ports which is 465 and 995 and works on SSL (pop.gmail.com, smtp.gmail.com. I wud want that inside users e-mail traffic to be allow by inside interface (inbound) to outside. Please suggest..

I am using the proxy server and all internet traffic are going through proxy but I want that IM, Yahoo Messanger (Selected Machines) and E-mail (All Inside Machines) traffic forward to outide internet by Inside Interface instead of using proxy. Thanks

nikuhappy2010 Mon, 08/04/2008 - 02:36

Well, the e-mail settings cud configure on Proxy server but if i do then users e-mail works very slow and IM, skype and yahoo we use basicaly we use for voice based calls and through proxy it doesnt work properly.

nikuhappy2010 Mon, 08/04/2008 - 04:49

Then all user machines should have a default gateway of the primary layer 3 device or ASA inside interface. (Thats right)

All I.E/Firefox brower settings should be proxied thru the proxy server. (Yes)

IM should be not be configured for proxy. (Yes nd traffic will be bypass through default gateway through inside interface of ASA)

This is not fool proof, anyone with any network knowledge will be able to bypass this.

(Well I know its possible but I am bit confused how i have to do setting for SSL encryted trafic for e-mail ports of 465 and 995).

Please suggest

nikuhappy2010 Mon, 08/04/2008 - 05:35

Well just tell me that how i can allow the internal machines traffic to outside for IM, Yahoo Messanger and E-mail (Using Ports 995 and 465 used for G-mail) except all deny traffic. I dont know which of the ports get used for this. Please suggest.

Marwan ALshawi Mon, 08/04/2008 - 05:40

i think u need a policy map

any way can u tell me what is ur topology

if u can post simpl graph will be better

i wanna know how u route ur traffic to the proxy

nikuhappy2010 Mon, 08/04/2008 - 05:51

ASA Conf:-

Inside :- 192.168.12.1

Outside :- *.*.43.210

Default Gateway set on all Client machines :- 192.168.12.1

Proxy Server :- 192.168.12.20

Please suggest..

Marwan ALshawi Mon, 08/04/2008 - 07:39

then

how u route clients traffic to the porxy?

it looks like the traffic going only to the asa

?

nikuhappy2010 Mon, 08/04/2008 - 07:51

I have denied all inside (inbound) traffic except Proxy machine traffic. Users send their request directly to proxy for using Internet but I want all e-mail, IM, Yahoo Messanger traffic to be allow by inside interface thats why i set up this IP 192.168.12.1 for gateway in client machines. Not able to understand how to do this??

Marwan ALshawi Mon, 08/04/2008 - 08:13

ok

there is two way to configure firewall with proxy

first

make the users default gateway proxy ip address

then the proxy should have cashing and filtring rules to filter ur traffic after that the proxy shout be made to forward the traffic to the ASA in this case the default gateway of the proxy is th einside interface of the ASA

withing the above methed u can make the defaul gateway the ASA for clients that u dont want them to go through the proxy

bypass it

second methond ( it hink better)

is to make another interface

on the ASA DMZ interface

and put the proxy server there

make a route on the ASA to route the traffic to the proxy on the dmz

and in this case the users default gateway will be the ASA inside ip

then the ASA will forward the traffic back to the ASA after filter it

and u can control who to be sent to the firewall or not

inur case i meanwhat u have configured

u can mkae ACL that pemirt users IPs going to certainports

but with IM hard becuase they use deffrent ports even 80 tunneled in http

i sent u link before relate to block IM use and make the ACL match users u wants and make it permit for them

through policy map and inspection should be better, becuase u gonna fillter on application layer

good luck

rate if helpful

nikuhappy2010 Mon, 08/04/2008 - 08:29

Hi, thanks for your prompt response.

I can use the first method and set the client machines DG of proxy server then users e-mail traffic wud go in this way. Client----Proxy----Inside ASA----Outside.If I use this then e-mails downloading get works so slow thats why I want to set the proxy settings in the IE so that when users open any site then the request to be forward proxy server and e-mail, IM, Yahoo Messanger Traffic to be forward directly inside interface and by making access list the inside interface cud allow these three app traffic except all other traffic.

Marwan ALshawi Mon, 08/04/2008 - 17:18

ok allow smtp and pop3 from those client

and about IM

i told u read the link i sen u u can achive it through

policy-map type inspect im im_pmap_name

Firewall(config-pmap)# match [not] ip-address

ip_address subnet_mask

Firewall(config-pmap-c)# {drop-connection | reset}

Match: Client IP address

Action: Drop or reset the

connection

Firewall(config-pmap)# match [not] login-name regex

{regex | class regex_cmap_name}

Firewall(config-pmap-c)# {drop-connection | reset}

Match: Client's IM login

name

Action: Drop or reset the

connection

Firewall(config-pmap)# match [not] protocol

[msn-im] [yahoo-im]

Firewall(config-pmap-c)# {drop-connection | reset}

Match: IM protocol

Action: Drop or reset the

connection

Firewall(config-pmap)# match [not] service {chat |

conference | file-transfer | games | voice-chat |

webcam}

Firewall(config-pmap-c)# {drop-connection | reset}

Match: IM service

Action: Drop or reset the

connection

Firewall(config-pmap)# match [not] version regex

{regex | class regex_cmap_name}

Firewall(config-pmap-c)# {drop-connection | reset}

Match: IM file transfer

service version

Action: Drop or reset the

connection

good luck

please, Rate if helpful

Actions

This Discussion