Thursday, June 16, 2011

How To Block Websites With Your Cisco ASA

I was asked to block certain websites from being accessed by internal users.  Sites like facebook, youtube, etc.  I used to think that I was going to need the public IP addresses so that I could block by destination address via ACL.  However, I came across an article that talked about blocking websites by using regular expressions with modular policy framework.  Cisco defines MFP as the following:
MPF provides a consistent and flexible way to configure security appliance features. For example, you can use MPF to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications.
MPF supports these features:
    TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization
    Application inspection
    QoS input policing
    QoS output policing
    QoS priority queue

The configuration of the MPF consists of four tasks:
    Identify the Layer 3 and 4 traffic to which you want to apply actions.
    (Application inspection only) Define special actions for application inspection traffic.
    Apply actions to the Layer 3 and 4 traffic.
    Activate the actions on an interface.

Remember, we just want to block facebook and youtube.  You can get very granular in what you want to block, but for this example, we will just do the two websites.  Topology will look like this:

Here is how we configure:
Define the Regex for the domain you wish to block:
regex blockex1 "facebook\.com"
regex blockex2 "youtube\.com"

Create a class map statement that matches your regex
class-map type inspect http match-any block-url-class
match request header host regex blockex1
match request header host regex blockex2

Create a broader policy map to include HTTP traffic and specify the previous class map
policy-map type inspect http block-url-policy
class block-url-class
  drop-connection log

Apply inspect to your default policy:
 policy-map global_policy
class inspection_default
  inspect http block-url-policy

Apply your policy:
service-policy global_policy global
Now, if you go to or, you will not get anything in the browser.  It basically just looks like nothing ever resolved in DNS.  However, one little odd thing does happen that Ive noticed.  If the user has the website up in their browser, and then you apply this config, they will still be able to get to it until they close their browser out.  Im not sure why at the moment why that happens, but I do know for sure if they close the browser out and reopen, then they wont be able to get to the websites you listed.  Very strange behavior, but something you can easily overcome with a reboot of all systems if needed.