Solved

ASA 5505 Web Site Restriction

Posted on 2009-05-13
5
751 Views
Last Modified: 2013-11-16
Due to a very strict security policy, I'd like to restrict users of an internal network to *only* be able to access a limited number of web sites. Let's just say that the policy only allows users to visit CNN, ESPN, Microsoft, Apple, and MSNBC. Currently, there are no restrictions and the ASA is doing PAT on the outside interface.

Is there a way that I can restrict users to only access these sites (and no others) with the ASA by way of an ACL? I know this can be done on the Juniper Netscreen, but not sure with the ASA 5505.

WebSense and SmartFilter are not options, so URL Filtering is out of the question for us.

Thanks in advance.

(I've attached the current config in the event that review is required)
config1-may2k9.txt
0
Comment
Question by:sarahbobby
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 24378554
Check out OpenDNS at www.opendns.com
They have free to use...websense type services...give them a try not bad...
0
 

Author Comment

by:sarahbobby
ID: 24378665
I'm with you on that. OpenDNS rocks. But that won't work with our current setup. We're trying to utilize the ASA and it's resources only.

Perhaps I'm being naive in believing that the ASA can do this since the Juniper Netscreen can....
0
 
LVL 4

Expert Comment

by:nasirsh
ID: 24379183
You need to create a policy MAP in order to achive this. In the policy map you can enter the url which you want to visit and rest of them deny. In the class-map you have to give the option of match destination-address which will inspect the given IP of the allowed URL. Then from the policy you can deny the rest and allow the given IPs.
0
 

Author Comment

by:sarahbobby
ID: 24379363
Excellent advice and I appreciate it greatly.

But honestly, I have no idea what a policy MAP is or where to being configuring something like that (still a bit of a novice). Can you point me in the right direction via ASDM or CLI?

I'll be more than happy to award you the points.

Thks
0
 
LVL 4

Accepted Solution

by:
nasirsh earned 125 total points
ID: 24379743
From here you can get the basic idea. Below is described how to block the website. You can alter it the way you want.

regex YELLOWPAGES "*yellowpages.com.au"
regex WHITEPAGES "*whitepages.com.au"

access-list INTERNET-RESTRICTED remark Hosts that have restricted
Internet access
access-list INTERNET-RESTRICTED extended permit ip host
192.168.101.110 any
access-list INTERNET-RESTRICTED remark Head Office LAN has open
Internet access
access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0
255.255.255.0 any
access-list INTERNET-RESTRICTED remark Shops have restricted Internet
access
access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0
255.255.0.0 any

!
class-map type regex match-any RESTRICTED-URL
match regex YELLOWPAGES
match regex WHITEPAGES
class-map type inspect http match-all INTERNET-RESTRICTED-SITES
match not request uri regex class RESTRICTED-URL
class-map inspection_default
match default-inspection-traffic
class-map INTERNET-RESTRICTED
match access-list INTERNET-RESTRICTED
!
!
policy-map type inspect http POLICY-INTERNET-RESTRICTED
parameters
class INTERNET-RESTRICTED-SITES
drop-connection log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect snmp
inspect esmtp
policy-map INTERNET-OUTBOUND
class INTERNET-RESTRICTED
inspect http POLICY-INTERNET-RESTRICTED
!
service-policy global_policy global
service-policy INTERNET-OUTBOUND interface inside
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now