Our community of experts have been thoroughly vetted for their expertise and industry experience.
The crowned prince of Vodka fuelled Technical Ninjary
Browse All Articles > Block Access to Facebook on Cisco ASA with MPF (Modular Policy Framework)
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution
NOTE: This can be used for any web site simply add each URL you want to block.
Log into your firewall and enter enable mode, then enter configure terminal mode.
Type help or '?' for a list of available commands.
PetesASA# conf t
1. The first thing we are going to do is write a "Regular Expression" that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.)
2. Now we are going to create a "Class-map" which will include our regular expression. (Note: for additional you would simply add multiple match commands.)
PetesASA(config)# class-map type regex match-any DomainBlockList
PetesASA(config-cmap)# match regex domainlist1
3. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com).
PetesASA(config)# class-map type inspect http match-all BlockDomainsClass
PetesASA(config-cmap)# match request header host regex class DomainBlockList
4. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above....
PetesASA(config)# policy-map type inspect http http_inspection_policy
PetesASA(config-pmap)# class BlockDomainsClass
PetesASA(config-pmap-c)# reset log
5. Then to knit everything together, I'm going to embed this policy in my firewalls global policy.
6. Note: Above I've assumed you have the default global policy, If you haven't, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so....
Note: If it does not error then it was NOT applied :)
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
7. Don't forget the save the config with a "write mem" command.
If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste
regex BLOCKED_DOMAIN_1 "www.facbook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside