Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking FB using ASA

Hello,

 

Is it possible to block facebook (http and https) using ASA firewall (without CSC)? I know that http can be blocked by blocking traffic going out to FB addresses, but how about https?

 

Thank you.

 

 

8 REPLIES
New Member

I know this is not the answer

I know this is not the answer that you're looking for but better to use a dedicated cheap web filtering solution. Although you can block http destinations by addresses in a firewall, it is not flexible enough. Whenever a new address for that destination comes into life, you must manually add it in your blocking list. And whenever an old address for that destination dies, you must manually remove it from your blocking list. The result is "Headache".

On the other hand, you only need a single check box beside the "Social Networking" category in the web filter. 

My personal experience is to avoid firewalls when it comes to blocking "Web Sites" because they are headache in that matter.

Just my 2 cents.

New Member

It's a REALLY crappy/non

It's a REALLY crappy/non-scalable solution but you could do something like this using DNS names and ACLs.

 

dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 4.2.2.2

 object network www.pandora.com
 fqdn www.pandora.com
object network www.netflix.com
 fqdn www.netflix.com

object-group network Blocked-Websites
 network-object object www.pandora.com
 network-object object www.netflix.com
 

#create DHCP reservations or set static IPs for users/servers that will not be filtered.
 object-group network Unfiltered-Users
 network-object host 192.168.10.5
 network-object host 192.168.10.6

access-list inside extended permit ip object-group Unfiltered-Users any 
access-list inside extended deny ip any object-group Blocked-Websites 
access-list inside extended permit ip any any 

access-group inside in interface inside

New Member

Well, be my guest to MANUALLY

Well, be my guest to MANUALLY add a web site every time you want to block something in your blocked websites object group. Is this the scalability you want? .. What if there is an exception and couple of users from subnet X asks you to open Netflix and block it for the rest of subnets? Do you have the scalability in the ASA to do this? Can't you see the amount of configurations you even added to the ASA just because to block certain web sites? Can't you see that i respectfully mentioned that my answer may be not the answer that you're looking for? 

Respect others' opinions or Get lost.

New Member

I wasn't referring to your

I wasn't referring to your post at any point in time.  I was describing my own using half baked web webfiltering using DNS and ACLs as crappy and non-scalable.

New Member

OMG lol, i am so sorry kevin

OMG lol, i am so sorry kevin ;)

New Member

Haha, no worries

Haha, no worries

Hi, You cannot do much to

Hi,

 

You cannot do much to block in asa... whatever the fqdn al will not block effectively....... it can be accessible via the leakage... in one of my client location we have identified the FB subnet range for that location and we have blocked the entire range...

 

say we have blocked 173.252.110.0/24 and so on whatever we have observed as the FB Subnets....

 

in this case if they use extended URL's are also they wont get web page accessible at any cost....

Regards

Karthik

Cisco Employee

CX/Sourcefire is the answer

CX/Sourcefire is the answer to your troubles :) Or a web filtering engine as suggested above.

Thank you for rating helpful posts!
438
Views
0
Helpful
8
Replies