09-08-2010 08:15 AM - edited 03-11-2019 11:37 AM
We have just had a new ASA5510 installed and i'm trying to get a live web chat programe to run.
I have contacted the web chat providers and they have said i need to whitelist:
*.providesupport.com
and
ds.ds2ps.net
ds.ds3ps.co.uk
Is this an easy thing to do ? We have aroudn 30 PC's that will run this ?
Where woudl i go to whitelist ?
Many thanks for your time.
09-08-2010 08:23 AM
Hi Ian,
One question...
Are the computers behind the ASA able to access those sites right now?
The reason I ask is because the ASA normally don't whitelist or blacklist, but either permits or denies based on TCP/UDP ports.
So, the internal devices can access the Internet on port 80 or they cannot.
You can configure using the Modular Policy Framework, access to some webpages specifically.
Also I think that if the ASA has a CSC module, then you can whitelist some sites as well.
Is this what you're looking for?
Federico.
09-08-2010 08:32 AM
Please let us know if you have http inspection enabled on the module and if yes provide the "sh run class-m", "sh run policy0-map", "sh run service-policy".
Also check if you have a CSC module in your ASA.
I hope it helps.
PK
09-08-2010 08:44 AM
Hi Ian,
Can you get away with whitelisting just the IP addresses and/or websites that your users need to visit? If so, you can probably use just your ASA. Otherwise you're going to want a good web filtering/proxy solution. Check out IronPort, Webwasher, Blue Coat, SurfControl, or even Squid (open source.)
Otherwise can also tie the ASA directly into a filtering product like WebSense, check out the ASA documentation.
When deploying a web filtering product you can either go "inline" or transparent by using WCCP redirection, but I'd suggest against it, since it breaks normal web browser behavior. Better option is to use WPAD (web proxy auto-detect) and have your browsers point-to and/or be explicitly configured to use the proxy.
You can use combination of regex & HTTP inspection with ASA 7.2+ code to achieve this
regex YOUTUBE "youtube\.com"
policy-map type inspect http xyz
parameters
protocol-violation action drop-connection log
match request header host regex YOUTUBE
drop-connection log
policy-map global_policy
class inspection_default
.
.
< SNIP..>
.
.
inspect http xyz
A good example can be found at
Another example at
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml
Please rate if you find it informative.
HTH
Sachin Garg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide