Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3637
  • Last Modified:

How do you block facebook etc from a Cisco PIX? using the web based management tool called Cisco ASDM Launcher

Please can someone tell me how to block facebook on the web based management tool Cisco ASDM Launcher?
1 Solution
It can be done with firewall rules, but it will be very challenging. You will need to figure out the IPs that FaceBook uses and set up rules to block those ips.

The easiest way to do content filtering with a Pix is to use a 3rd party product like WebSense.  You can become very creative in filtering web sites that do not match you business policies.
johngloverjnrAuthor Commented:
but will it not slow down my web access for 100 users?

How easy is it to do?
Websense will not slow down your web surfing. It can be installed on a server somwhere in your network. You can get a 30 day eval at www.websense.com . The product is easy to install and I find the menagement tool is very easy to understand.

You will need to add the following four lines of code to your Pix to use WebSense. Use the actual IP of the server where Websense is installed instead of 999.999.999.999

url-server (inside) vendor websense host 999.999.999.999 timeout 30 protocol UDP version 4
filter url http allow
filter url 443 allow
filter url 21 allow
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

If you have a DNS server internally, you can simply create a zone for facebook.com and leave the zone empty. Facebook.com will no longer resolve. You may have to restrict outbound DNS traffic however if your users are clever enough to change their DNS server addresses.

Other than this, I can say websense i s a great product, but may be a bit expensive for what you are trying to accomplish.
Verify you are running the proper version.
We had to call TAC as we had too many commands in our config (the example gives you too many features).

Here's a sample of the code on an ASA.
regex domainlist1 "\facebook.\com"

access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq 8080

class-map type regex match-any DomainBlockList
 match regex domainlist1

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
class-map inspection_default
 match default-inspection-traffic
class-map httptraffic
 match access-list inside_mpc
policy-map type inspect http http_inspection_policy
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class BlockDomainsClass
  reset log

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
service-policy inside-policy interface inside

Oh good one oneprospect, I forgot about using policy maps.
CigeoSenior Network EngineerCommented:
What must be done in order to apply this with time-range, lets say 08:00 to 18:00.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now