URL/WEB Filtering in ASA

k_vadivel · ‎02-18-2009

Hi,

How can I allow only specific websites and block rest of internet in Cisco ASA firewall.

Sine it is very small network, I am not preferring to implement URL filtering server (Web sense) along with ASA.

Thanks in advance

vikram_anumukonda · ‎02-18-2009

You can use the Modular policy framework, creating custom inspect policy for type http and match the host part ( website address ie., www.site.com) and drop that traffic under the policy.

HTH,

vikram

Syed Iftekhar Ahmed · ‎02-18-2009

Fllowing is an example to block cisco.com

regex cisco-regex "[Cc][Ii][Ss][Cc][Oo].[Cc][Oo][Mm]"

class-map type regex match-any cisco-url

match regex cisco-regex

class-map type inspect http match-all cisco

match request header host regex class cisco-url

policy-map type inspect http Badwebsites

parameters

class cisco

drop-connection log

!

policy-map My_policy

class inspection_default

inspect http Badwebsites

!

service-policy My_policy global

Syed

k_vadivel · ‎02-19-2009

Thanks a lot Syed and Vikram,

Syed,

Just I want to block entire internet except 5 to 10 web sites. !!

Can you please guide me?

r4farooqui · ‎02-19-2009

well, you can block all Deny all http and https traffic for internet and permit those ones you want to allow access to users.

cheers

vikram_anumukonda · ‎02-19-2009

this might do the job for you

assuming that you want to permit only yahoo , google and deny the rest.

#####################################

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex domain1

match not request header host regex domain2

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################

k_vadivel · ‎02-19-2009

Vikram,

Thanks a lot!

One final question (may be stupid one!).

If I allow www.google.com , the user can be able to access www.google.com page ; Is it possible for him to browse any other web sites embedded in google.com site? I guess, that is not possible.

Or any other such intelligent device can perform this?

Rgds.

vikram_anumukonda · ‎02-19-2009

It shouldn't be possible , as when a user clicks on a link , it would take him away from currnet page and directly to the URL the user has clicked on.

you will have to test it for sure.

vikram.

k_vadivel · ‎02-19-2009

Yes Vikram, I agree with you.

hmm..

How about ASA - CSC module for URL filtering?

Can I create local permit list and block list and acheive block all internet except few web sites?

Without go for TrendMicro license renewal every year?

I mean content/url filtering only manage from the local list.

Hope I am not confusing you !

Rgds

vikram_anumukonda · ‎02-20-2009

I have never worked on CSC module :(

vikram_anumukonda · ‎02-20-2009

vadivel,

You will have tweak my earlier code a bit for it to work, here is the updated code, I have tested this code but using ip-addresses instead and it worked just fine.

#####################################

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map type regex match-any domain-list

match regex domain1

match regex domain2

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################

dave.thornton · ‎03-01-2009

guys thanks for this thread; i got this working just great and now have a whitelist controlling internet browsing.

thanks

k_vadivel · ‎03-02-2009

Hi Dave, Good to know that it works for you.

Just I am waiting for customer confirmation to implement it!

Thanks to experts !!

fermendo · ‎03-04-2010

This information is really usefull, thanks a lot!!!