<

Block Access to Facebook on Cisco ASA with MPF (Modular Policy Framework)

Published on
22,887 Points
16,087 Views
8 Endorsements
Last Modified:
Approved
Pete Long
The crowned prince of Vodka fuelled Technical Ninjary
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution

NOTE: This can be used for any web site simply add each URL you want to block.

Log into your firewall and enter enable mode, then enter configure terminal mode.


Password:
Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
PetesASA# conf t
PetesASA(config)#



1. The first thing we are going to do is write a "Regular Expression" that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.)


PetesASA(config)#
PetesASA(config)# regex domainlist1 "facebook.com"
PetesASA(config)#

 

2. Now we are going to create a "Class-map" which will include our regular expression. (Note: for additional you would simply add multiple match commands.)


PetesASA(config)#
PetesASA(config)# class-map type regex match-any DomainBlockList
PetesASA(config-cmap)# match regex domainlist1
PetesASA(config-cmap)#

 

3. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com).

 
PetesASA(config)#
PetesASA(config)# class-map type inspect http match-all BlockDomainsClass
PetesASA(config-cmap)# match request header host regex class DomainBlockList
PetesASA(config-cmap)#



4. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above....

 
PetesASA(config)#
PetesASA(config)# policy-map type inspect http http_inspection_policy
PetesASA(config-pmap)# class BlockDomainsClass
PetesASA(config-pmap-c)# reset log
PetesASA(config-pmap-c)#



5. Then to knit everything together, I'm going to embed this policy in my firewalls global policy.

 
PetesASA(config)#
PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class inspection_default
PetesASA(config-pmap-c)# inspect http http_inspection_policy
PetesASA(config-pmap-c)#

 

6. Note: Above I've assumed you have the default global policy, If you haven't, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so....

Note: If it does not error then it was NOT applied :)

 
PetesASA(config)#
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
PetesASA(config)#

 

7. Don't forget the save the config with a "write mem" command.
 
If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste
 

regex BLOCKED_DOMAIN_1 "www.facbook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
  match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
  match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
  parameters
  class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
  inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside
8
Author:Pete Long
Enjoy this complimentary article view.

Get unlimited access to our entire library of technical procedures, guides, and tutorials written by certified industry professionals.

Get 7 days free
Click here to view the full article

Using this article for work? Experts Exchange can benefit your whole team.

Learn More
COLLABORATE WITH CERTIFIED PROFESSIONALS
Experts Exchange is a tech solutions provider where users receive personalized tech help from vetted certified professionals. These industry professionals also write and publish relevant articles on our site.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Learn from the best.