02-18-2009 11:03 PM - edited 03-11-2019 07:53 AM
Hi,
How can I allow only specific websites and block rest of internet in Cisco ASA firewall.
Sine it is very small network, I am not preferring to implement URL filtering server (Web sense) along with ASA.
Thanks in advance
02-18-2009 11:20 PM
You can use the Modular policy framework, creating custom inspect policy for type http and match the host part ( website address ie., www.site.com) and drop that traffic under the policy.
HTH,
vikram
02-18-2009 11:33 PM
Fllowing is an example to block cisco.com
regex cisco-regex "[Cc][Ii][Ss][Cc][Oo].[Cc][Oo][Mm]"
class-map type regex match-any cisco-url
match regex cisco-regex
class-map type inspect http match-all cisco
match request header host regex class cisco-url
policy-map type inspect http Badwebsites
parameters
class cisco
drop-connection log
!
policy-map My_policy
class inspection_default
inspect http Badwebsites
!
service-policy My_policy global
Syed
02-19-2009 02:14 AM
Thanks a lot Syed and Vikram,
Syed,
Just I want to block entire internet except 5 to 10 web sites. !!
Can you please guide me?
02-19-2009 02:48 AM
well, you can block all Deny all http and https traffic for internet and permit those ones you want to allow access to users.
cheers
02-19-2009 04:45 AM
this might do the job for you
assuming that you want to permit only yahoo , google and deny the rest.
#####################################
regex domain1 "\.yahoo\.com"
regex domain2 "\.google\.com"
!
class-map web
match port tcp eq www
!
policy-map type inspect http URL
parameters
match not request header host regex domain1
match not request header host regex domain2
drop-connection
!
policy-map global_policy
class web
inspect http URL
!
####################################
02-19-2009 08:31 PM
Vikram,
Thanks a lot!
One final question (may be stupid one!).
If I allow www.google.com , the user can be able to access www.google.com page ; Is it possible for him to browse any other web sites embedded in google.com site? I guess, that is not possible.
Or any other such intelligent device can perform this?
Rgds.
02-19-2009 08:42 PM
It shouldn't be possible , as when a user clicks on a link , it would take him away from currnet page and directly to the URL the user has clicked on.
you will have to test it for sure.
vikram.
02-19-2009 11:27 PM
Yes Vikram, I agree with you.
hmm..
How about ASA - CSC module for URL filtering?
Can I create local permit list and block list and acheive block all internet except few web sites?
Without go for TrendMicro license renewal every year?
I mean content/url filtering only manage from the local list.
Hope I am not confusing you !
Rgds
02-20-2009 12:06 AM
I have never worked on CSC module :(
02-20-2009 07:22 AM
vadivel,
You will have tweak my earlier code a bit for it to work, here is the updated code, I have tested this code but using ip-addresses instead and it worked just fine.
#####################################
regex domain1 "\.yahoo\.com"
regex domain2 "\.google\.com"
!
class-map type regex match-any domain-list
match regex domain1
match regex domain2
!
class-map web
match port tcp eq www
!
policy-map type inspect http URL
parameters
match not request header host regex class domain-list
drop-connection
!
policy-map global_policy
class web
inspect http URL
!
####################################
03-01-2009 04:20 AM
guys thanks for this thread; i got this working just great and now have a whitelist controlling internet browsing.
thanks
03-02-2009 03:14 AM
Hi Dave, Good to know that it works for you.
Just I am waiting for customer confirmation to implement it!
Thanks to experts !!
03-04-2010 02:43 PM
This information is really usefull, thanks a lot!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide