I know this is not the answer that you're looking for but better to use a dedicated cheap web filtering solution. Although you can block http destinations by addresses in a firewall, it is not flexible enough. Whenever a new address for that destination comes into life, you must manually add it in your blocking list. And whenever an old address for that destination dies, you must manually remove it from your blocking list. The result is "Headache".
On the other hand, you only need a single check box beside the "Social Networking" category in the web filter.
My personal experience is to avoid firewalls when it comes to blocking "Web Sites" because they are headache in that matter.
Well, be my guest to MANUALLY add a web site every time you want to block something in your blocked websites object group. Is this the scalability you want? .. What if there is an exception and couple of users from subnet X asks you to open Netflix and block it for the rest of subnets? Do you have the scalability in the ASA to do this? Can't you see the amount of configurations you even added to the ASA just because to block certain web sites? Can't you see that i respectfully mentioned that my answer may be not the answer that you're looking for?
You cannot do much to block in asa... whatever the fqdn al will not block effectively....... it can be accessible via the leakage... in one of my client location we have identified the FB subnet range for that location and we have blocked the entire range...
say we have blocked 188.8.131.52/24 and so on whatever we have observed as the FB Subnets....
in this case if they use extended URL's are also they wont get web page accessible at any cost....
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...