Block Access to Facebook on Cisco ASA with MPF (Modular Policy Framework)

Published on
22,732 Points
8 Endorsements
Last Modified:
Pete Long
The crowned prince of Vodka fuelled Technical Ninjary
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution

NOTE: This can be used for any web site simply add each URL you want to block.

Log into your firewall and enter enable mode, then enter configure terminal mode.

Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
PetesASA# conf t

1. The first thing we are going to do is write a "Regular Expression" that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.)

PetesASA(config)# regex domainlist1 "facebook.com"


2. Now we are going to create a "Class-map" which will include our regular expression. (Note: for additional you would simply add multiple match commands.)

PetesASA(config)# class-map type regex match-any DomainBlockList
PetesASA(config-cmap)# match regex domainlist1


3. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com).

PetesASA(config)# class-map type inspect http match-all BlockDomainsClass
PetesASA(config-cmap)# match request header host regex class DomainBlockList

4. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above....

PetesASA(config)# policy-map type inspect http http_inspection_policy
PetesASA(config-pmap)# class BlockDomainsClass
PetesASA(config-pmap-c)# reset log

5. Then to knit everything together, I'm going to embed this policy in my firewalls global policy.

PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class inspection_default
PetesASA(config-pmap-c)# inspect http http_inspection_policy


6. Note: Above I've assumed you have the default global policy, If you haven't, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so....

Note: If it does not error then it was NOT applied :)

PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy


7. Don't forget the save the config with a "write mem" command.
If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste

regex BLOCKED_DOMAIN_1 "www.facbook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
  match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
  match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
  drop-connection log
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside
Author:Pete Long

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Join & Write a Comment

Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month