Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA 5505 Web Site Restriction

Posted on 2009-05-13
5
Medium Priority
?
760 Views
Last Modified: 2013-11-16
Due to a very strict security policy, I'd like to restrict users of an internal network to *only* be able to access a limited number of web sites. Let's just say that the policy only allows users to visit CNN, ESPN, Microsoft, Apple, and MSNBC. Currently, there are no restrictions and the ASA is doing PAT on the outside interface.

Is there a way that I can restrict users to only access these sites (and no others) with the ASA by way of an ACL? I know this can be done on the Juniper Netscreen, but not sure with the ASA 5505.

WebSense and SmartFilter are not options, so URL Filtering is out of the question for us.

Thanks in advance.

(I've attached the current config in the event that review is required)
config1-may2k9.txt
0
Comment
Question by:sarahbobby
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 24378554
Check out OpenDNS at www.opendns.com
They have free to use...websense type services...give them a try not bad...
0
 

Author Comment

by:sarahbobby
ID: 24378665
I'm with you on that. OpenDNS rocks. But that won't work with our current setup. We're trying to utilize the ASA and it's resources only.

Perhaps I'm being naive in believing that the ASA can do this since the Juniper Netscreen can....
0
 
LVL 4

Expert Comment

by:nasirsh
ID: 24379183
You need to create a policy MAP in order to achive this. In the policy map you can enter the url which you want to visit and rest of them deny. In the class-map you have to give the option of match destination-address which will inspect the given IP of the allowed URL. Then from the policy you can deny the rest and allow the given IPs.
0
 

Author Comment

by:sarahbobby
ID: 24379363
Excellent advice and I appreciate it greatly.

But honestly, I have no idea what a policy MAP is or where to being configuring something like that (still a bit of a novice). Can you point me in the right direction via ASDM or CLI?

I'll be more than happy to award you the points.

Thks
0
 
LVL 4

Accepted Solution

by:
nasirsh earned 500 total points
ID: 24379743
From here you can get the basic idea. Below is described how to block the website. You can alter it the way you want.

regex YELLOWPAGES "*yellowpages.com.au"
regex WHITEPAGES "*whitepages.com.au"

access-list INTERNET-RESTRICTED remark Hosts that have restricted
Internet access
access-list INTERNET-RESTRICTED extended permit ip host
192.168.101.110 any
access-list INTERNET-RESTRICTED remark Head Office LAN has open
Internet access
access-list INTERNET-RESTRICTED extended deny ip 192.168.101.0
255.255.255.0 any
access-list INTERNET-RESTRICTED remark Shops have restricted Internet
access
access-list INTERNET-RESTRICTED extended permit ip 192.168.0.0
255.255.0.0 any

!
class-map type regex match-any RESTRICTED-URL
match regex YELLOWPAGES
match regex WHITEPAGES
class-map type inspect http match-all INTERNET-RESTRICTED-SITES
match not request uri regex class RESTRICTED-URL
class-map inspection_default
match default-inspection-traffic
class-map INTERNET-RESTRICTED
match access-list INTERNET-RESTRICTED
!
!
policy-map type inspect http POLICY-INTERNET-RESTRICTED
parameters
class INTERNET-RESTRICTED-SITES
drop-connection log
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect snmp
inspect esmtp
policy-map INTERNET-OUTBOUND
class INTERNET-RESTRICTED
inspect http POLICY-INTERNET-RESTRICTED
!
service-policy global_policy global
service-policy INTERNET-OUTBOUND interface inside
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question