The need to block users from browsing to particular websites is becoming more and more prevalent. Revenue is down, bandwidth is expensive, and no one wants to pay employees for browsing their Facebook profile. Cisco developed the Content management platform (CSC module) that allows you to do just that. However it’s an additional license and not available on the 5505 model. That being said there is a way to accomplish this from the firewall. We can use the MPF (Modular Policy Framework) coupled with regex (regular expression) commends to block particular websites. Follow along with code below.
Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Define the Regex for the domain you wish to block
ASA(config)# regex Domain1 “<the domain you wish to block (Example facebook.com)>”
Create a class map statement that matches your regex
ASA(config)# class-map type regex match-any CM_DomainsToBlock
ASA(config-cmap)# match regex Domain1
Create a broader policy map to include HTTP traffic and specify the previous class map
ASA(config)# class-map type inspect http match-all CM_HTTP
ASA(config-cmap)# match request header host regex class CM_DomainsToBlock
Create a policy and apply the classes to it
ASA(config)# policy-map type inspect http PM_HTTP
ASA(config-pmap)# class CM_HTTP
ASA(config-pmap-c)# reset log
Add your new policy the firewalls global policy
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect http PM_HTTP
That’s it! A few things to keep in mind. This obviously won’t work if you haven’t already configured the global_policy on the firewall. If for some reason you haven’t, simply apply it with ‘service-policy global_policy global’. Additionally, if you want to add more domains to your block list simply define them with a regex command and then add a match statement to you initial class map.
Hi, im following this tutorial step by step, but im stuck in the last part, where you say that i have to configure the global policy on the firewall and apply it with service-policy global_policy global, please help me,
my email is [email protected]
Hi, im following this tutorial step by step, but im stuck in the last part, where you say that i have to configure the global policy on the firewall and apply it with service-policy global_policy global, please help me,
Can you be more specific? What are you stuck on?
Hi, what is the global policy?
I am assuming he means the code at the bottom of the show run. As you see below:
policy-map global_policy <————————
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect tftp
inspect sunrpc
inspect xdmcp
inspect sip
inspect ip-options
inspect icmp
class class_sip_tcp
inspect sip
In answer to your question Nizar:
By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default. You can apply only one global policy. If you want to alter the global policy, you must either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy.)
Source: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008085283d.shtml#topic1
Basically by inspecting the traffic,you allow it through the firewall. Ex: If you inspect icmp you are then allow ping traffic to and through the firewall.
I hope this explanation helps 🙂
Exaclty, thanks Vicky! Sorry guys, I was uber busy with work lately.