Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2287
Views
4
Helpful
11
Replies

How to block website for perticular users using ASDM 6.0 ?

Go to solution
vinayak
Level 1
Level 1

‎09-16-2010 09:32 PM - edited ‎03-11-2019 11:41 AM

Hello All,

I am very new in using ASDM. actually i am using ASA 5510 version 8.0 & ASDM version 6.0.

I want to block certian websites on LAN users

For Example:

I am having LAN ips in range 192.168.1.0 /24

i want to permit all website for 192.168.1.2 & 192.168.1.14 users

& Block websites (such as social networking, IM websites etc.) for rest of all users.

Can anyone tell me how to do that using ASDM 6.0 or CLI ??

Any help is greatly helpful ......  Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to vinayak

‎09-16-2010 10:31 PM

Sure..

Here is an example:

object-group network allow-list

     network-object host 192.168.1.2

     network-object host 192.168.1.14

object-group network block-list

     network-object host 192.168.1.5

     network-object 192.168.1.32 255.255.255.248

access-list inside_mpc extended deny tcp object-group allow-list any eq 80

access-list inside_mpc extended permit tcp object-group block-list any eq 80

Hope that helps.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-16-2010 09:50 PM

ASA natively does not have a feature to block particular website. You might need to use Regex via MPF to block website via ASA. Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

To block website natively, you can use CSC module on the ASA, or Ironport web appliance, or ScanSafe web filtering solution in the cloud.

Hope that helps.

0 Helpful

Go to solution
vinayak
Level 1
Level 1
In response to Jennifer Halim

‎09-16-2010 10:02 PM

Hello,

Thanks for reply. I think this should help me to block website for all users.

But i want to block websites for some users & want to permit all websites for 2 users (as 192.168.1.2 & 1.14).

Then how to do that ?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to vinayak

‎09-16-2010 10:07 PM

From the sample configuration, you can tweak the access-list "inside_mpc" as follows:

access-list inside_mpc extended deny tcp host 192.168.1.2 any eq 80

access-list inside_mpc extended deny tcp host 192.168.1.14 any eq 80

access-list inside_mpc extended permit tcp any any eq 80

The first 2 lines of ACL will prevent 192.168.1.2 and 192.168.1.14 from being blocked towards the URL that you specify later with Regex.

Hope that helps.

Go to solution
vinayak
Level 1
Level 1
In response to Jennifer Halim

‎09-16-2010 10:22 PM

Thank you very much.

one last qusetion. Can i create a object group 1 for which i want to permit all traffic & object group 2 for which want to block specific traffic..

is it possible ? if so can you please tell me how to do that ?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to vinayak

‎09-16-2010 10:31 PM

Sure..

Here is an example:

object-group network allow-list

     network-object host 192.168.1.2

     network-object host 192.168.1.14

object-group network block-list

     network-object host 192.168.1.5

     network-object 192.168.1.32 255.255.255.248

access-list inside_mpc extended deny tcp object-group allow-list any eq 80

access-list inside_mpc extended permit tcp object-group block-list any eq 80

Hope that helps.

0 Helpful

Go to solution
vinayak
Level 1
Level 1
In response to Jennifer Halim

‎09-16-2010 10:38 PM

Thank you very much.

I will implement it & reply you back,.

thanks again..

0 Helpful

Go to solution
vinayak
Level 1
Level 1
In response to vinayak

‎09-16-2010 10:54 PM

Hello,

Sorry to disturb you again, But can you tell me what is the meaning of the statement..

access-list inside_mpc extended deny tcp 192.168.1.2 any eq www

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to vinayak

‎09-17-2010 02:30 AM

Basing it from the sample configuration posted earlier, the following ACL:

access-list inside_mpc extended deny tcp 192.168.1.2 any eq www

means that the user with ip address of 192.168.1.2 will be exempted from being blocked, ie: that user will not be inspected against the MPF rule configured for TCP/80 (HTTP) traffic.

0 Helpful

Go to solution
vinayak
Level 1
Level 1
In response to Jennifer Halim

‎09-17-2010 05:00 AM

Dear halijenn ,

thanks for help. Its really works..

Thanks...

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to vinayak

‎09-17-2010 05:02 AM

Great, thanks for the update. Pls kindly mark the question as answered. Thanks.

0 Helpful

Go to solution
vinayak
Level 1
Level 1
In response to Jennifer Halim

‎09-17-2010 05:03 AM

ok. thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card