White list for live web chat program to work ?

Unanswered Question
Sep 8th, 2010

We have just had a new ASA5510 installed and i'm trying to get a live web chat programe to run.

I have contacted the web chat providers and they have said i  need to whitelist:




Is this an easy thing to do ? We have aroudn 30 PC's that will run this ?

Where woudl i go to whitelist ?

Many thanks for your time.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 09/08/2010 - 08:23

Hi Ian,

One question...

Are the computers behind the ASA able to access those sites right now?

The reason I ask is because the ASA normally don't whitelist or blacklist, but either permits or denies based on TCP/UDP ports.

So, the internal devices can access the Internet on port 80 or they cannot.

You can configure using the Modular Policy Framework, access to some webpages specifically.

Also I think that if the ASA has a CSC module, then you can whitelist some sites as well.

Is this what you're looking for?


Panos Kampanakis Wed, 09/08/2010 - 08:32

Please let us know if you have http inspection enabled on the module and if yes provide the "sh run class-m", "sh run policy0-map", "sh run service-policy".

Also check if you have a CSC module in your ASA.

I hope it helps.


sachinga.hcl Wed, 09/08/2010 - 08:44

Hi Ian,

Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit?  If so, you can probably use just your ASA.  Otherwise you're going to want a good web filtering/proxy solution.  Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)

Otherwise can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.

When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior.  Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.

You can use combination of regex & HTTP inspection with ASA 7.2+ code to achieve this

regex YOUTUBE "youtube\.com"

policy-map type inspect http xyz


  protocol-violation action drop-connection log

match request header host regex YOUTUBE

  drop-connection log

policy-map global_policy

class inspection_default



< SNIP..>



  inspect http xyz

A good example can be found at


Another example at


Please rate  if you find it informative.


Sachin Garg


This Discussion