ASA 5505 Block Websites – Base License

      7 Comments on ASA 5505 Block Websites – Base License

The need to block users from browsing to particular websites is becoming more and more prevalent.  Revenue is down, bandwidth is expensive, and no one wants to pay employees for browsing their Facebook profile.  Cisco developed the Content management platform (CSC module) that allows you to do just that.  However it’s an additional license and not available on the 5505 model.  That being said there is a way to accomplish this from the firewall.  We can use the MPF (Modular Policy Framework) coupled with regex (regular expression) commends to block particular websites.  Follow along with code below.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Define the Regex for the domain you wish to block
ASA(config)# regex Domain1 “<the domain you wish to block (Example facebook.com)>”

Create a class map statement that matches your regex
ASA(config)# class-map type regex match-any CM_DomainsToBlock
ASA(config-cmap)# match regex Domain1

Create a broader policy map to include HTTP traffic and specify the previous class map
ASA(config)# class-map type inspect http match-all CM_HTTP
ASA(config-cmap)# match request header host regex class CM_DomainsToBlock

Create a policy and apply the classes to it
ASA(config)# policy-map type inspect http PM_HTTP
ASA(config-pmap)# class CM_HTTP
ASA(config-pmap-c)# reset log

Add your new policy the firewalls global policy
ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect http PM_HTTP

That’s it!  A few things to keep in mind.  This obviously won’t work if you haven’t already configured the global_policy on the firewall.  If for some reason you haven’t, simply apply it with ‘service-policy global_policy global’.  Additionally, if you want to add more domains to your block list simply define them with a regex command and then add a match statement to you initial class map.

7 thoughts on “ASA 5505 Block Websites – Base License

  1. Nizar

    Hi, im following this tutorial step by step, but im stuck in the last part, where you say that i have to configure the global policy on the firewall and apply it with service-policy global_policy global, please help me,

    my email is [email protected]

    Reply
  2. Nizar

    Hi, im following this tutorial step by step, but im stuck in the last part, where you say that i have to configure the global policy on the firewall and apply it with service-policy global_policy global, please help me,

    Reply
  3. Vicky Ems

    I am assuming he means the code at the bottom of the show run. As you see below:

    policy-map global_policy <————————
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect sqlnet
    inspect tftp
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect ip-options
    inspect icmp
    class class_sip_tcp
    inspect sip

    Reply
  4. Vicky Ems

    In answer to your question Nizar:

    By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default. You can apply only one global policy. If you want to alter the global policy, you must either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy.)

    Source: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008085283d.shtml#topic1

    Basically by inspecting the traffic,you allow it through the firewall. Ex: If you inspect icmp you are then allow ping traffic to and through the firewall.

    I hope this explanation helps 🙂

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *