URL/WEB Filtering in ASA

Unanswered Question
Feb 18th, 2009
User Badges:

Hi,

How can I allow only specific websites and block rest of internet in Cisco ASA firewall.

Sine it is very small network, I am not preferring to implement URL filtering server (Web sense) along with ASA.


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
vikram_anumukonda Wed, 02/18/2009 - 23:20
User Badges:
  • Bronze, 100 points or more

You can use the Modular policy framework, creating custom inspect policy for type http and match the host part ( website address ie., www.site.com) and drop that traffic under the policy.



HTH,

vikram

Syed Iftekhar Ahmed Wed, 02/18/2009 - 23:33
User Badges:
  • Blue, 1500 points or more

Fllowing is an example to block cisco.com


regex cisco-regex "[Cc][Ii][Ss][Cc][Oo].[Cc][Oo][Mm]"


class-map type regex match-any cisco-url

match regex cisco-regex


class-map type inspect http match-all cisco

match request header host regex class cisco-url


policy-map type inspect http Badwebsites

parameters

class cisco

drop-connection log


!

policy-map My_policy

class inspection_default

inspect http Badwebsites

!

service-policy My_policy global


Syed

k_vadivel Thu, 02/19/2009 - 02:14
User Badges:

Thanks a lot Syed and Vikram,


Syed,

Just I want to block entire internet except 5 to 10 web sites. !!


Can you please guide me?


r4farooqui Thu, 02/19/2009 - 02:48
User Badges:


well, you can block all Deny all http and https traffic for internet and permit those ones you want to allow access to users.


cheers

vikram_anumukonda Thu, 02/19/2009 - 04:45
User Badges:
  • Bronze, 100 points or more

this might do the job for you

assuming that you want to permit only yahoo , google and deny the rest.

#####################################

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex domain1

match not request header host regex domain2

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################

k_vadivel Thu, 02/19/2009 - 20:31
User Badges:

Vikram,

Thanks a lot!


One final question (may be stupid one!).


If I allow www.google.com , the user can be able to access www.google.com page ; Is it possible for him to browse any other web sites embedded in google.com site? I guess, that is not possible.


Or any other such intelligent device can perform this?


Rgds.

vikram_anumukonda Thu, 02/19/2009 - 20:42
User Badges:
  • Bronze, 100 points or more

It shouldn't be possible , as when a user clicks on a link , it would take him away from currnet page and directly to the URL the user has clicked on.


you will have to test it for sure.


vikram.

k_vadivel Thu, 02/19/2009 - 23:27
User Badges:

Yes Vikram, I agree with you.


hmm..

How about ASA - CSC module for URL filtering?

Can I create local permit list and block list and acheive block all internet except few web sites?

Without go for TrendMicro license renewal every year?


I mean content/url filtering only manage from the local list.


Hope I am not confusing you !


Rgds


vikram_anumukonda Fri, 02/20/2009 - 07:22
User Badges:
  • Bronze, 100 points or more

vadivel,


You will have tweak my earlier code a bit for it to work, here is the updated code, I have tested this code but using ip-addresses instead and it worked just fine.


#####################################

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map type regex match-any domain-list

match regex domain1

match regex domain2

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################

k_vadivel Mon, 03/02/2009 - 03:14
User Badges:

Hi Dave, Good to know that it works for you.


Just I am waiting for customer confirmation to implement it!


Thanks to experts !!


fermendo Thu, 03/04/2010 - 14:43
User Badges:

This information is really usefull, thanks a lot!!!

Actions

This Discussion