Re: ASA and BASIC URL filtering

gpedretty · ‎11-28-2006

I did a quick search, and found some related threads, but nothing that really definitively answered my question. My organization needs to do some BASIC URL filtering- just block a couple of websites such as myspace.com and the like-obviously, for something like this, we don't need the cost or complexity of commercial solutions such as a websense server. My question for the group is is there a way to set up an ASA 5510 for this type of basic filtering? If not, as what I have seen would appear to imply, might someone have a suggestion for some other, preferably free, solution?

On a related note, if this is not possible with the ASA, then what exactly does the service policy and associated HTTP Inspection map section of the ASA do (not the filter, but the service policy)? The documentation I have been able to find has just left me confused- it would seem to be geared towards people who already know what the feature is/does, and just want to know how to set it up.

Thanks for any assistance anyone can provide

--------

Israel Brewster

Computer support Technician

Frontier Flying Service

Fairbanks, AK

mike.neilson · ‎11-28-2006

you can use the shun command or a class map. The only issue is you will need to lookup the ip address for the sites and block them or block the sub-net if you can find there block on arin.

Shun example:

shun x.x.x.x

Class-map example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080624e19.shtml

gpedretty · ‎11-29-2006

Thanks, that worked, although it would appear that the shun command is not saved across restarts. This is easily worked around, however, by blocking the IP's in the firewall rather than with the shun command. This method does, of course, have the caveat that you need to track down all the IP's for the problem site- I take it there is no way to do this by blocking the URL without needing some commercial product? Thanks.

ibrewster · ‎12-05-2006

Is there any way to do this using URL's/URI's rather than IP's? with the multiple IP setup that many websites have, blocking by IP becomes rather cumbersome rather quickly. Thanks

----

Israel Brewster

ibrewster · ‎12-20-2006

Am I to assume from the lack of response that what I want to do isn't possible? What if we were to get one of the add-on cards for the ASA- could we do this sort of thing then? I guess what this boils down to is what is the cheapest/easiest way to filter traffic based on the URL rather than the IP, preferably without having to add more hardware/software to our network. I'd appreciate any feedback on the subject. Thanks.

l.tating · ‎12-20-2006

Hello!

I have also the same predicament. I am currently working on a ASA5520 with CSC SSM on it. Im trying to test URL blocking, but Im not sucessful. Is it absolutely necessary to have Websense or N2H2 to successfully filter or block URLs? I want to know if ASA CSC SSM can to the URL blocking by itself. Is there somebody in Cisco who can give us a definitive answer about the CSC? I tried to read the "Online HELP" but does not seem to give any help at all.

Lorenz

0r8it · ‎12-22-2006

I dont think you can so this with the ASA in solo. I would recommend an alternative- why not install a 'free' Squid-based proxy server? This will give you much more control, reporting, caching even, if needed. I wouldn't feel comfortable with having all my internal clients pointing straight at my firewall, in any case. I believe the latest version of ASA code also supports WCCP (as I believe Squid does- though I haven't tried it), so you can make this a semi-transparent proxy without setting up proxy config on the workstations.

regards

Gary

ryan_holland · ‎12-22-2006

There are two options that you can use on the CSC-SSM, both do require the use of the Plus license.

First if you only want to block a few sites by name, ie. myspace.com, you can use the URL Blocking portion of CSC.

The other method would be to use URL Filtering, this is a service on the CSC that will allow categorization of websites from TrendLabs and allow an administrator to allow or block web pages based on category, similar to Websense/N2H2.

If you have this configured and it is not blocking, you should check first that you have URL Blocking/Filtering enabled and second that you have a security policy setup correctly to forward web traffic to the CSC.

to do that you would create a class-map that matches www and then create a policy-map that enables CSC scanning and then tie the policy to either an interface or the global configuration. A simple CLI configuration of this is below:

class-map www-class

match port tcp eq www

policy-map outside_policy

class www-class

csc fail-open

service-policy outside_policy interface outside

sdesteuben · ‎07-04-2007

I too have been looking for a "cheep" way to block just myspace utube just the basic non work sites. funny thing is the simplist way i found (i regret to admit on cisco site) i put the one guy who can't stay away from myspace behind a $20 netgear and told it to block the keyword myspace. he can't even search for it on google. no why can't a pix do what a $20 netgear does? ofcourse the $20 netgear can't do what the pix does.

just a strange senerio

shivlu jain · ‎07-04-2007

hi dear

even you can use the DNS to resolve the IP address for the particular site after that make a access list to block the IPS.It is the very cheap and best solution.

shivlu

bhorta · ‎07-07-2007

It is pretty trivial to block myspace and youtube for example. Just ping http://www.myspace.com and http://www.youtube.com and you will get the IP address for them.

for http://www.myspace.com you get 216.178.38.130

then you go to http://www.arin.net and plug in that IP address and arin will spit out the CIDR for that range. 216.178.32.0/20

and just create an object group called bannedsites, stick the ip CIDRs of areas you want to block in the object group then create an ACL using the object group that blocks traffic outbound to those networks from the inside interface out (PIX by default allows all traffic from the inside out) Just do not forget to put a permit any any at the end

you can even turn on logging to log who is attempting to access those sites.

ibrewster · ‎07-09-2007

Which is exactly what I have ended up doing, it's just not as nice or easy as simply saying "block myspace.com" :)

scc_fwnaps · ‎09-07-2007

How did you do it? I tried it and was still able to nav to myspace and youtube. If you can please let me know. I used the ASDM to configure the rule. Was that my mistake? Thank you in advance for all you help.

Josiah

ibrewster · ‎09-07-2007

I used ASDM as well, so it should work just fine. For MySpace I ended up blocking 216.178.32.0 with a netmask of 255.255.240.0. this was determined by pinging www.myspace.com, taking the ip address that gives me, and then running a whois on that IP (i.e. whois 216.178.38.104) - the value you are looking for is the CIDR or NetRange. In ASDM, i then set up a rule to deny incoming on the inside interface from all to the previously determined net range, protocol ip. This has worked for me so far with all sites I have tried to block.

sarah.doyle · ‎12-20-2007

Sweet, worked for me from ASDM.

Thanks