Solved

ASA 5505 Web Site Restriction

Posted on 2009-05-13
5
758 Views
Last Modified: 2013-11-16
Due to a very strict security policy, I'd like to restrict users of an internal network to *only* be able to access a limited number of web sites. Let's just say that the policy only allows users to visit CNN, ESPN, Microsoft, Apple, and MSNBC. Currently, there are no restrictions and the ASA is doing PAT on the outside interface.

Is there a way that I can restrict users to only access these sites (and no others) with the ASA by way of an ACL? I know this can be done on the Juniper Netscreen, but not sure with the ASA 5505.

WebSense and SmartFilter are not options, so URL Filtering is out of the question for us.

Thanks in advance.

(I've attached the current config in the event that review is required)
config1-may2k9.txt
0
Comment
Question by:sarahbobby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 24378554
Check out OpenDNS at www.opendns.com
They have free to use...websense type services...give them a try not bad...
0
 

Author Comment

by:sarahbobby
ID: 24378665
I'm with you on that. OpenDNS rocks. But that won't work with our current setup. We're trying to utilize the ASA and it's resources only.

Perhaps I'm being naive in believing that the ASA can do this since the Juniper Netscreen can....
0
 
LVL 4

Expert Comment

by:nasirsh
ID: 24379183
You need to create a policy MAP in order to achive this. In the policy map you can enter the url which you want to visit and rest of them deny. In the class-map you have to give the option of match destination-address which will inspect the given IP of the allowed URL. Then from the policy you can deny the rest and allow the given IPs.
0
 

Author Comment

by:sarahbobby
ID: 24379363
Excellent advice and I appreciate it greatly.

But honestly, I have no idea what a policy MAP is or where to being configuring something like that (still a bit of a novice). Can you point me in the right direction via ASDM or CLI?

I'll be more than happy to award you the points.

Thks
0
 
LVL 4

Accepted Solution

by:
nasirsh earned 125 total points
ID: 24379743
From here you can get the basic idea. Below is described how to block the website. You can alter it the way you want.

regex YELLOWPAGES "*yellowpages.com.au"
regex WHITEPAGES "*whitepages.com.au"

access-list INTERNET-RESTRICTED remark Hosts that have restricted
Internet access
access-list INTERNET-RESTRICTED extended permit ip host
192.168.101.110 any
access-list INTERNET-RESTRICTED remark Head Office LAN has open
Internet access
access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0
255.255.255.0 any
access-list INTERNET-RESTRICTED remark Shops have restricted Internet
access
access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0
255.255.0.0 any

!
class-map type regex match-any RESTRICTED-URL
match regex YELLOWPAGES
match regex WHITEPAGES
class-map type inspect http match-all INTERNET-RESTRICTED-SITES
match not request uri regex class RESTRICTED-URL
class-map inspection_default
match default-inspection-traffic
class-map INTERNET-RESTRICTED
match access-list INTERNET-RESTRICTED
!
!
policy-map type inspect http POLICY-INTERNET-RESTRICTED
parameters
class INTERNET-RESTRICTED-SITES
drop-connection log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect snmp
inspect esmtp
policy-map INTERNET-OUTBOUND
class INTERNET-RESTRICTED
inspect http POLICY-INTERNET-RESTRICTED
!
service-policy global_policy global
service-policy INTERNET-OUTBOUND interface inside
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question