I figured this was the case. Not sure why Cisco can't just enable simple URL blacklisting like alot of other vendor. Looks like i'll just do a route-map on the edge internet router and set the next-hop ip for http(s) traffic to a squid box.
Thanks Tyson On Sat, Feb 19, 2011 at 1:23 PM, Tyson Scott <[email protected]> wrote: > You can but it is not supportable. It is not dynamic. You have to do a > DNS > query on each host and block those IP's. > > tyson@atr-lnx:~> nslookup www.google.com > Server: 10.200.12.25 > Address: 10.200.12.25#53 > > Non-authoritative answer: > www.google.com canonical name = www.l.google.com. > Name: www.l.google.com > Address: 209.85.225.106 > Name: www.l.google.com > Address: 209.85.225.99 > Name: www.l.google.com > Address: 209.85.225.147 > Name: www.l.google.com > Address: 209.85.225.104 > Name: www.l.google.com > Address: 209.85.225.103 > Name: www.l.google.com > Address: 209.85.225.105 > > tyson@atr-lnx:~> > > ciscoasa(config)# sh run url-server > url-server (inside) vendor websense host 1.1.1.1 timeout 30 protocol TCP > version 1 connections 5 > ciscoasa(config)# sh run filter > filter url 80-443 0.0.0.0 0.0.0.0 208.85.225.0 255.255.255.0 > ciscoasa(config)# > > Having an invalid url-server will cause it to always be done that will > always block it. Really in this regard a squid server is even a better > choice. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Max Pierson > Sent: Saturday, February 19, 2011 12:52 PM > To: CCIE_RS OnlineStudyList > Subject: [OSL | CCIE_RS] URL Filtering via ASA > > Hi Security Experts, > > I'm looking into doing some URL filtering (possibly content filtering). I > see that the ASA only has options for Websense (which is out of the > question) and Smartfilter. I believe this is the same Smartfilter i've used > way back when (8 or so years ago) that use to be somewhat cheap for the > content subscription feeds and ran via squid (so all you had to pay was for > the feeds). Since Smartfilter was acquired by McAfee some time back, is > there any option on the ASA to at a minimum filter out domains/urls without > having to use either of those costly solutions?? Tight budget for this > project :( > > Simple filter for ..... > *.adobe.com > *.google-analytics.com > *.whatever.com > > I can do this via external squid box and some next-hop foo or just use > OpenDNS, but I would like to use the ASA as the http(s) redirect point. Any > ideas?? > > TIA, > M > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
