Solved

ASA 5505 Web Site Restriction

Posted on 2009-05-13
5
755 Views
Last Modified: 2013-11-16
Due to a very strict security policy, I'd like to restrict users of an internal network to *only* be able to access a limited number of web sites. Let's just say that the policy only allows users to visit CNN, ESPN, Microsoft, Apple, and MSNBC. Currently, there are no restrictions and the ASA is doing PAT on the outside interface.

Is there a way that I can restrict users to only access these sites (and no others) with the ASA by way of an ACL? I know this can be done on the Juniper Netscreen, but not sure with the ASA 5505.

WebSense and SmartFilter are not options, so URL Filtering is out of the question for us.

Thanks in advance.

(I've attached the current config in the event that review is required)
config1-may2k9.txt
0
Comment
Question by:sarahbobby
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 24378554
Check out OpenDNS at www.opendns.com
They have free to use...websense type services...give them a try not bad...
0
 

Author Comment

by:sarahbobby
ID: 24378665
I'm with you on that. OpenDNS rocks. But that won't work with our current setup. We're trying to utilize the ASA and it's resources only.

Perhaps I'm being naive in believing that the ASA can do this since the Juniper Netscreen can....
0
 
LVL 4

Expert Comment

by:nasirsh
ID: 24379183
You need to create a policy MAP in order to achive this. In the policy map you can enter the url which you want to visit and rest of them deny. In the class-map you have to give the option of match destination-address which will inspect the given IP of the allowed URL. Then from the policy you can deny the rest and allow the given IPs.
0
 

Author Comment

by:sarahbobby
ID: 24379363
Excellent advice and I appreciate it greatly.

But honestly, I have no idea what a policy MAP is or where to being configuring something like that (still a bit of a novice). Can you point me in the right direction via ASDM or CLI?

I'll be more than happy to award you the points.

Thks
0
 
LVL 4

Accepted Solution

by:
nasirsh earned 125 total points
ID: 24379743
From here you can get the basic idea. Below is described how to block the website. You can alter it the way you want.

regex YELLOWPAGES "*yellowpages.com.au"
regex WHITEPAGES "*whitepages.com.au"

access-list INTERNET-RESTRICTED remark Hosts that have restricted
Internet access
access-list INTERNET-RESTRICTED extended permit ip host
192.168.101.110 any
access-list INTERNET-RESTRICTED remark Head Office LAN has open
Internet access
access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0
255.255.255.0 any
access-list INTERNET-RESTRICTED remark Shops have restricted Internet
access
access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0
255.255.0.0 any

!
class-map type regex match-any RESTRICTED-URL
match regex YELLOWPAGES
match regex WHITEPAGES
class-map type inspect http match-all INTERNET-RESTRICTED-SITES
match not request uri regex class RESTRICTED-URL
class-map inspection_default
match default-inspection-traffic
class-map INTERNET-RESTRICTED
match access-list INTERNET-RESTRICTED
!
!
policy-map type inspect http POLICY-INTERNET-RESTRICTED
parameters
class INTERNET-RESTRICTED-SITES
drop-connection log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect snmp
inspect esmtp
policy-map INTERNET-OUTBOUND
class INTERNET-RESTRICTED
inspect http POLICY-INTERNET-RESTRICTED
!
service-policy global_policy global
service-policy INTERNET-OUTBOUND interface inside
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 3750G swithces stack question 3 26
Failover VPN Question Sonicwall 5 48
Cisco WRVS4400N 11 37
Ceiling heights max for internal antennas - Cisco 3702i access points 6 14
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question