Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking Web Sites on Cisco ASA5510

Hi Experts,

Can Any one help in Blocking Web site for example Facebook on Cisco ASA5510

I used the below configuration on Cisco ASA5510 but did not blocked any web site

"

regex blockex1 "facebook\.com"

regex blockex2 "youtube\.com"

class-map type inspect http match-any block-url-class

match request header host regex blockex1

match request header host regex blockex2

policy-map type inspect http block-url-policy

parameters

class block-url-class

  drop-connection log

class inspection_default

policy-map global_policy

class inspection_default

  inspect http block-url-policy

service-policy global_policy global

Everyone's tags (3)
3 REPLIES
VIP Purple

Re: Blocking Web Sites on Cisco ASA5510

It won't work if the client is using HTTPS. Better use FQDN-based filtering with sites that don't use shared hosting:

object network FACEBOOK

  fqdn www.facebook.com

access-list INSIDE-ACCESS-IN extended deny ip any4 object FACEBOOK

dns domain-lookup inside

DNS server-group DefaultDNS

  name-server 10.10.10.10 ! your DNS-server

  domain-name company.intern

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Blocking Web Sites on Cisco ASA5510

Hi,

Thanks for the reply.i dint find the command

:fqdn www.facebook.com" in  object network FACEBOOK

Can you please write the complete config in details

VIP Purple

Blocking Web Sites on Cisco ASA5510

probably your ASA-version is to old, the fqdn-parameter was introduced in 8.4(2).

http://www.cisco.com/en/US/docs/security/asa/command-reference/f2.html#wp2058089

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
288
Views
0
Helpful
3
Replies