Url Filtering Asa 5506

Posted By admin On 30.09.19
Asa 5506 throughputAsa 5506 throughput

In this article I will show you how to deny access to specific websites (domain names) with a normal Cisco ASA firewall.This works on either the older 5500 models or the new 5500-X series devices. The only pre-requisite for the firewall is to run software version 8.4.2 and later.

Url filtering download failure

Url Filtering Cisco Asa 5506

Feb 09, 2018  Cisco ASA with FirePOWER Services include Cisco ASA firewalling, AVC, URL filtering, NGIPS, and AMP. This unique set of capabilities is available on the Cisco ASA 5500-X Series NGFW platforms: Cisco ASA 5506-X, 5506W-X, 5506H-X, 5508-X, 5516-X. Cisco ASA with FirePOWER Services URL Filtering - subscription license (3 y. The solution uniquely extends the capabilities of the Cisco ASA 5500-X Series Next-Generation Firewalls beyond what today's NGFW solutions are capable of.

Also, you don’t need to have any next generation firewall features or special licenses installed.Although the ASA can provide a simple solution for restricting web access to specific websites, you should know that it is NOT a replacement for a full-featured URL filtering solution.There are a few methods to block access to websites. These methods include regular expressions (regex) together with Modular Policy Framework (MPF), finding the IP address of the website and blocking with ACL, and using FQDN in an ACL.The first method (regex with MPF) works well with HTTP websites but it will not work at all if the website uses HTTPs.The second method (blocking the IP with ACL) will work only for simple websites which have a static IP but it will be difficult to work for dynamic websites (such as Facebook, Twitter etc) which have many different IP addresses which change all the time. The third method (using FQDN in an ACL) is the one which we will describe here.From ASA version 8.4(2) and later, Access Control Lists (ACL) can contain an object which represents a Fully Qualified Domain Name (FQDN).So, inside an ACL you can allow or deny access to hosts using their FQDN name instead of their IP address. You can therefore deny access to website www.facebook.com by denying access to FQDN object “ www.facebook.com” inside the ACL.The ASA will need to resolve all possible IP addresses of the FQDN and will dynamically insert several “deny IP” entries for these IP addresses in the ACL.

Therefore you must specify what DNS server the ASA can use in order to resolve IP addresses for the FQDNs.The method above does not slow down the firewall since the device will do the DNS lookup for the website you want to block beforehand and store all resolved IP addresses of the website in memory.Depending on the TTL of the DNS lookup, the firewall will keep doing DNS requests for the specific domain name (every few hours for example) and update the resolved IPs in memory. In our example network below, we want to restrict access to www.website.com which resolves to IP address 2.2.2.2.

Url Filtering Asa 5506 Ip

THIS IS AN UPGRADE TO AN ASA-5506-X With FirePOWER from an ASA-5510 with Security Plus License ONLY!