Block Access to Facebook on Cisco ASA with MPF

KB ID 0000054

Problem

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution.

NOTE: This can be used for any web site simply add each URL you want to block.

Solution

1. Log into your firewal,l and enter enable mode, then enter configure terminal mode.

[box]

User Access Verification

password: *******
Type help or '?' for a list of available commands. 
PetesASA> enable
Password: ******** 
PetesASA# conf t 
PetesASA(config)#

[/box]

2. The first thing we are going to do is write a “Regular Expression” that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.)

[box]

PetesASA(config)#
PetesASA(config)# regex domainlist1 "facebook.com"
PetesASA(config)#

[/box]

3. Now we are going to create a “Class-map” which will include our regular expression. (Note: for additional you would simply add multiple match commands.)

[box]

PetesASA(config)#
PetesASA(config)# class-map type regex match-any DomainBlockList
PetesASA(config-cmap)# match regex domainlist1
PetesASA(config-camp)#

[/box]

4. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com).

< p>[box]

PetesASA(config)#
PetesASA(config)# class-map type inspect http match-all BlockDomainsClass
PetesASA(config-cmap)# match request header host regex class DomainBlockList
PetesASA(config-camp)#

[/box]

5. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above….

[box]

PetesASA(config)#
PetesASA(config)# policy-map type inspect http http_inspection_policy
PetesASA(config-pmap)# class BlockDomainsClass
PetesASA(config-pmap-c)# reset log
PetesASA(config-pmap-c)#

[/box]

6. Then to knit everything together, I’m going to embed this policy in my firewalls global policy.

[box]

PetesASA(config)#
PetesASA(config)# policy-map global_policy
PetesASA(config-pmap)# class inspection_default
PetesASA(config-pmap-c)# inspect http http_inspection_policy
PetesASA(config-pmap-c)#

[/box]

7. Note: Above I’ve assumed you have the default global policy, If you haven’t, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so….

Note: If it does not error then it was NOT applied 🙂

[box]

PetesASA(config)#
PetesASA(config)# service-policy global_policy global
WARNING: Policy map global_policy is already configured as a service policy
PetesASA(config)#

[/box]

8. Don’t forget the save the config with a “write mem” command.

If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste (Credit to Aniket Rodrigues).

[box]

regex BLOCKED_DOMAIN_1 "www.facbook.com"
access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http
class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST
match regex BLOCKED_DOMAIN_1
class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST
class-map CLASS_MAP_HTTP_TRAFFIC
match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS
policy-map type inspect http POLICY_MAP_HTTP_INSPECTION
parameters
class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT
drop-connection log
policy-map POLICY_MAP_OUTSIDE_INTERFACE
class CLASS_MAP_HTTP_TRAFFIC
inspect http POLICY_MAP_HTTP_INSPECTION
service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside

[/box]

Related Articles, References, Credits, or External Links

NA