URL Filtering Questions

Unanswered Question

As possible Microsoft ISA server replacement next year, I would like to move URL filtering to the ASA systems if possible. Can anyone tell if using the ASA for this is a good alternative?

Here is what I would like.

1.) The ability to block certain URLs from being accessing by employees.

2.) The ability to track and report of employee Internet usage.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
suschoud Tue, 08/04/2009 - 11:41

asa works in conjunction with websense or smartfilter for url filtering.

all http/https/ftp etc reqeusts are redirected to these servers wherein url filtering rules are applied.

if u do not have these boxes,u can also use inbulit asa's capability to use regex ( regular expression ) to block urls.

For ex. , blocking myspace :



ciscoasa(config)# sh run

: Saved


ASA Version 7.2(2)


hostname ciscoasa

regex block-website ".\myspace.\com"


class-map type regex match-any cm-block-website

match regex block-website


class-map inspection_default

match default-inspection-traffic


policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map type inspect http pm-block-website


match request header host regex class cm-block-website

drop-connection log

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http pm-block-website


service-policy global_policy global




%ASA-5-415008: HTTP - matched request header host regex class

cm-block-website in policy-map pm-block-website, header matched - Dropping

connection from Inside: to outside:

%ASA-6-302014: Teardown TCP connection 2036 for outside: to

inside: duration 0:00:00 bytes 0 Flow closed by inspection

Here is a link that explains how to use MPF:

-- Using Modular Policy Framework:




asa has limited capabilities to track internet usage.u can use some 3rd party tool for that.




suschoud Tue, 08/04/2009 - 13:26

Commercial products that creates graphs and analyzes Syslog to generate stats could be:

- FireGen http://www.eventid.net/firegen/

- Try this one FWLOGSUM (Freeware).



It uses basicly PERL scripts and supports a wide range of Firewalls. You just need to install Perl in your Windows environment.

- Try Sawmill (Eval version)


- EIQ Networks Network Security Analyzer eiqnetworks.com

Hope that gives you some ideas what to try.


This Discussion