Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

URL/WEB Filtering in ASA

Hi,

How can I allow only specific websites and block rest of internet in Cisco ASA firewall.

Sine it is very small network, I am not preferring to implement URL filtering server (Web sense) along with ASA.

Thanks in advance

13 REPLIES

Re: URL/WEB Filtering in ASA

You can use the Modular policy framework, creating custom inspect policy for type http and match the host part ( website address ie., www.site.com) and drop that traffic under the policy.

HTH,

vikram

Re: URL/WEB Filtering in ASA

Fllowing is an example to block cisco.com

regex cisco-regex "[Cc][Ii][Ss][Cc][Oo].[Cc][Oo][Mm]"

class-map type regex match-any cisco-url

match regex cisco-regex

class-map type inspect http match-all cisco

match request header host regex class cisco-url

policy-map type inspect http Badwebsites

parameters

class cisco

drop-connection log

!

policy-map My_policy

class inspection_default

inspect http Badwebsites

!

service-policy My_policy global

Syed

New Member

Re: URL/WEB Filtering in ASA

Thanks a lot Syed and Vikram,

Syed,

Just I want to block entire internet except 5 to 10 web sites. !!

Can you please guide me?

New Member

Re: URL/WEB Filtering in ASA

well, you can block all Deny all http and https traffic for internet and permit those ones you want to allow access to users.

cheers

Re: URL/WEB Filtering in ASA

this might do the job for you

assuming that you want to permit only yahoo , google and deny the rest.

#####################################

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex domain1

match not request header host regex domain2

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################

New Member

Re: URL/WEB Filtering in ASA

Vikram,

Thanks a lot!

One final question (may be stupid one!).

If I allow www.google.com , the user can be able to access www.google.com page ; Is it possible for him to browse any other web sites embedded in google.com site? I guess, that is not possible.

Or any other such intelligent device can perform this?

Rgds.

Re: URL/WEB Filtering in ASA

It shouldn't be possible , as when a user clicks on a link , it would take him away from currnet page and directly to the URL the user has clicked on.

you will have to test it for sure.

vikram.

New Member

Re: URL/WEB Filtering in ASA

Yes Vikram, I agree with you.

hmm..

How about ASA - CSC module for URL filtering?

Can I create local permit list and block list and acheive block all internet except few web sites?

Without go for TrendMicro license renewal every year?

I mean content/url filtering only manage from the local list.

Hope I am not confusing you !

Rgds

Re: URL/WEB Filtering in ASA

I have never worked on CSC module :(

Re: URL/WEB Filtering in ASA

vadivel,

You will have tweak my earlier code a bit for it to work, here is the updated code, I have tested this code but using ip-addresses instead and it worked just fine.

#####################################

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map type regex match-any domain-list

match regex domain1

match regex domain2

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

!

####################################

New Member

Re: URL/WEB Filtering in ASA

guys thanks for this thread; i got this working just great and now have a whitelist controlling internet browsing.

thanks

New Member

Re: URL/WEB Filtering in ASA

Hi Dave, Good to know that it works for you.

Just I am waiting for customer confirmation to implement it!

Thanks to experts !!

New Member

Re: URL/WEB Filtering in ASA

This information is really usefull, thanks a lot!!!

919
Views
5
Helpful
13
Replies
CreatePlease to create content