cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1454
Views
5
Helpful
22
Replies

Access only few Internet websites URL

nikuhappy2010
Level 1
Level 1

Hi, I want to block the usage of internet for Inside users except few websites. Please advice.

The QA testing team test some application by connecting remote servers which is connected by STS Tunnel. And I have opened IP protocol between both Sites and they test the application which is using a port 80. Here, I would say that the network must not be blocked if we make any rule for Inside Users.

1 Accepted Solution

Accepted Solutions

Marwan ALshawi
VIP Alumni
VIP Alumni

Vinay

u can block and make filtering on the application layer through MPF as with Rate limiting

but this gonna be a bit more comlicated as u have to make some regular expretion and more class-maps

i will guid u through it bellow:

first u wanna allow only the spesified websites and any other websites will be blocked!

lets say u gonna allow youtube.com and yahoo.com and any other websites should be blcked

first creat regular expretion to match those URLS

regex URLLIST1 "\.yahoo\.com"

regex URLLIST2 "\.youtube\.com"

then creat ACL matching web traffic

access-list 101 permit ip any any eq www

access-list 101 permit ip any any eq https

access-list 101 permit ip any any eq 8080

class-map web-traffic

match access-list 101

creat class-map for the regex created above(URLLIST)

class-map type regex match-any allowed-sites

match regex URLLIST1

match regex URLLIST2

now creat inspection class map for web traffic matched with class above

class-map type inspect http match-all blocking-urls

match not request header host regex class allowed-sites

notce there is not in the comman here this mean match any thing except the urls we have match above

so we are exculding the match URLs and bellow we gonna mak a policy and the action we gona tak is drop

creat http inspection policy

policy-map type inspect http block_URLS

class blocking-urls

reset log

now if u look above we creat ACL 101 that match web traffic and match with class-map called webtraffic

now we gonna apply the above http inspection policy to that traffic

policy-map inside-policy

class webtraffic

inspect http block_URLS

now apply it to ur inside interface

service-policy inside-policy interface inside

good luck

please, rate if helpful

View solution in original post

22 Replies 22

Marwan ALshawi
VIP Alumni
VIP Alumni

Vinay

u can block and make filtering on the application layer through MPF as with Rate limiting

but this gonna be a bit more comlicated as u have to make some regular expretion and more class-maps

i will guid u through it bellow:

first u wanna allow only the spesified websites and any other websites will be blocked!

lets say u gonna allow youtube.com and yahoo.com and any other websites should be blcked

first creat regular expretion to match those URLS

regex URLLIST1 "\.yahoo\.com"

regex URLLIST2 "\.youtube\.com"

then creat ACL matching web traffic

access-list 101 permit ip any any eq www

access-list 101 permit ip any any eq https

access-list 101 permit ip any any eq 8080

class-map web-traffic

match access-list 101

creat class-map for the regex created above(URLLIST)

class-map type regex match-any allowed-sites

match regex URLLIST1

match regex URLLIST2

now creat inspection class map for web traffic matched with class above

class-map type inspect http match-all blocking-urls

match not request header host regex class allowed-sites

notce there is not in the comman here this mean match any thing except the urls we have match above

so we are exculding the match URLs and bellow we gonna mak a policy and the action we gona tak is drop

creat http inspection policy

policy-map type inspect http block_URLS

class blocking-urls

reset log

now if u look above we creat ACL 101 that match web traffic and match with class-map called webtraffic

now we gonna apply the above http inspection policy to that traffic

policy-map inside-policy

class webtraffic

inspect http block_URLS

now apply it to ur inside interface

service-policy inside-policy interface inside

good luck

please, rate if helpful

Marwan ALshawi
VIP Alumni
VIP Alumni

i think the config that i have sent do exactly the same thing in those files

anyway good luck

Thanks everyone....

Hi, I have installed a proxy server and blocked all inside traffic (Inbound) and exempt tunnel traffic as well in inside access list and its working fine. Now I want that all inside users mail, IM,(For all users) Yahoo Messanger (Selected Machines) traffic to be allow from inside to outside. Mail Smtp port is 995 and Pop3 port is 465 and both are using SSL. Please suggest what do i need to do for the same. Please post an example, if possible. Thanks

Hi, Thanks for the above links....But my query was for allowing the ports which is 465 and 995 and works on SSL (pop.gmail.com, smtp.gmail.com. I wud want that inside users e-mail traffic to be allow by inside interface (inbound) to outside. Please suggest..

I am using the proxy server and all internet traffic are going through proxy but I want that IM, Yahoo Messanger (Selected Machines) and E-mail (All Inside Machines) traffic forward to outide internet by Inside Interface instead of using proxy. Thanks

Then why are you using a proxy server, if you want to by pass it for email, IM etc - remove the proxy?

Well, the e-mail settings cud configure on Proxy server but if i do then users e-mail works very slow and IM, skype and yahoo we use basicaly we use for voice based calls and through proxy it doesnt work properly.

Then all user machines should have a default gateway of the primary layer 3 device or ASA inside interface.

All I.E/Firefox brower settings should be proxied thru the proxy server.

IM should be not be configured for proxy.

This is not fool proof, anyone with any network knowledge will be able to bypass this.

Then all user machines should have a default gateway of the primary layer 3 device or ASA inside interface. (Thats right)

All I.E/Firefox brower settings should be proxied thru the proxy server. (Yes)

IM should be not be configured for proxy. (Yes nd traffic will be bypass through default gateway through inside interface of ASA)

This is not fool proof, anyone with any network knowledge will be able to bypass this.

(Well I know its possible but I am bit confused how i have to do setting for SSL encryted trafic for e-mail ports of 465 and 995).

Please suggest

Can anyone respond?

This has now become a completely differnet question.

What are you trying to do now?

Well just tell me that how i can allow the internal machines traffic to outside for IM, Yahoo Messanger and E-mail (Using Ports 995 and 465 used for G-mail) except all deny traffic. I dont know which of the ports get used for this. Please suggest.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: