cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1251
Views
8
Helpful
4
Replies

To block url on differnet vlans.

sushil
Level 1
Level 1

Hi,

Would like to is the possibilty of blocking completley from a range of ip addresses in a vlan.

Design is something.

ASA-->Switch (L3)---->Internal users in diffrent vlans.

All the Vlans are on L3 switch.something like vlan1 on192.168.1.0/24,vlan2 on 192.168.2.0/24,vlan3 192.168.3.0/24 and so on..

None of the vlans can talk to each other as they belong to different departments,but can go to the internet and can access all the internet.

Here want to block most of the urls on say vlan3 and allow few.On rest of the VLANS don't want to restrict the urls etc.

Is this possible if going with a csc module.

Reg,

Sushil

4 Replies 4

Marwan ALshawi
VIP Alumni
VIP Alumni

ofcource u can

as long as those VLANs have diffrent ip addressing

then u can control whos to be included in a such policy and whos not based on the source IP address

also u can achive it by using ACLs,class-map and policy map with http inspection using MPF on cisco ASA and block certain websites and u can exclude on or more subnets (vlan) or hosts based on the source IP

for example lets say u wanna exclude vlan 2 from http and url filltering and include anything else to be passed to CSC modul

access-list csc-acl deny tcp 192.168.2.0 255.255.255.0 any eq www

access-list csc-acl permit tcp any any eq www

class-map csc-class

match access-list csc-acl

policy-map global_policy

class csc-class

csc fail-open

in this case evry http traffic will be passed and inspected by the CSC except vlan 2 traffic

and u can make whatever permit or deny

good luck

please, if helpful Rate

andrew.prince
Level 10
Level 10

Yes - see the below url for the configuration, just replace the source "any" in the "inside_mpc" access-list to the IP address of the VLAN to you want to block.

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080940c5a.shtml

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080940e04.shtml

HTH>

Thanks for your info gentlemen.

Presently using 5510 sec bun.

What all I need to add in terms of licenses/module.Is it CSC module and license or is it the one or same thing.How mature is this csc module in ASA.

I cannot comment on the CSC - as I have not used it, however the below link might help you:-

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: