Saturday, June 25, 2011

Blocking all web browsing, except certain websites on the Cisco ASA

On June 16th, I wrote a post about blocking certain websites with your ASA for companies that want to allow web traffic, but block websites like facebook or youtube.  Well, now, I have come across a request to block all HTTP and HTTPS traffic, with exception to a couple of websites that are related to the company, but do not reside on their own web server internally.  So, with that said, lets look at how to do that.  Im going to use facebook and youtube again in my example here.  So, lets get started.

Define your regular expression.  Name the websites you want to allow (facebook and youtube here):
regex allowex1 "facebook\.com"
regex allowex2 "youtube\.com"

Here, you want to define an access-list that specifies what traffic you want to fall under this inspection.  In this case, it will be everyone in the company.  However, you can define only certain hosts if you want.  If you want to exclude any host from this, you will do this with a deny statement.  Keep in mind the order of your ACL.
access-list user-acl permit tcp  any any eq www
access-list user-acl permit tcp any any eq https

Create your class-map for inspection:
class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2

Create your second class-map and include what you just created above:
class-map allow-user-class
match access-list user-acl

Policy-map creation with what to do with the traffic:
policy-map type inspect http allow-url-policy
class allow-url-class

Policy-map with inspection:
policy-map allow-user-url-policy
class allow-user-class
  inspect http allow-url-policy

Apply the policy-map to an interface (inside in this case):
service-policy allow-user-url-policy interface inside

Thats all you have to do.  You should now be able to only browse facebook and youtube, and all other HTTP and HTTPS traffic will be denied.