Block Facebook & Google Talk on ASA

Block Access to Facebook on Cisco ASA with MPF

Problem

If you have an ASA5510 then this sort of thing would be better handled with a CSCModule, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the best solution NOTE: This can be used for any web site simply add each URL you want to block.

Solution

1. Log into your firewal,l and enter enable mode, then enter configure terminal mode. User Access Verification Password: Type help or '?' for a list of available commands. PetesASA> en Password: ******** PetesASA# conf t PetesASA(config)# 2. The first thing we are going to do is write a "Regular Expression" that matches Facebook, (Repeat the line adding domainlist2, 3 etc for each additional domain you require to block.) PetesASA(config)# PetesASA(config)# regex domainlist1 "facebook.com" PetesASA(config)# 3. Now we are going to create a "Class-map" which will include our regular expression. (Note: for additional you would simply add multiple match commands.) PetesASA(config)# PetesASA(config)# class-map type regex match-any DomainBlockList PetesASA(config-cmap)# match regex domainlist1 PetesASA(config-cmap)# 4. We are now going to create a second class map, this one is for http inspection, and uses the first class map we created, it basically says, this class map is for http inspection and will inspect for what we declared in the first class map (i.e. Inspect http traffic for any instance of facebook.com). PetesASA(config)# PetesASA(config)# class-map type inspect http match-all BlockDomainsClass PetesASA(config-cmap)# match request header host regex class DomainBlockList PetesASA(config-cmap)# 5. Now to apply these class-maps we need to use a policy, the rule for policies is, you can have tons of policies but you can only apply one global policy, AND you can also have a policy for each interface, So here Ill create a policy for http inspection and use the classes we created above.... PetesASA(config)# PetesASA(config)# policy-map type inspect http http_inspection_policy PetesASA(config-pmap)# class BlockDomainsClass PetesASA(config-pmap-c)# reset log PetesASA(config-pmap-c)# 6. Then to knit everything together, I'm going to embed this policy in my firewalls global policy. PetesASA(config)# PetesASA(config)# policy-map global_policy PetesASA(config-pmap)# class inspection_default PetesASA(config-pmap-c)# inspect http http_inspection_policy PetesASA(config-pmap-c)# 7. Note: Above I've assumed you have the default global policy, If you haven't, this will not apply until you have applied the global_policy globally, this is done with a service-policy command, check to see if you already have this command in your config, or simply execute the command and the firewall and will tell you, like so.... Note: If it does not error then it was NOT applied :) PetesASA(config)# PetesASA(config)# service-policy global_policy global WARNING: Policy map global_policy is already configured as a service policy PetesASA(config)# 8. Don't forget the save the config with a "write mem" command. If you want to have this on a policy of its own, applied to an interface rather than on the Global Policy here is some working code to copy and paste (Credit to Aniket Rodrigues). regex BLOCKED_DOMAIN_1 "www.facbook.com" access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS extended permit tcp any any eq http class-map type regex match-any CLASS_MAP_BLOCKED_DOMAIN_LIST   match regex BLOCKED_DOMAIN_1 class-map type inspect http match-all CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT   match request header host regex class CLASS_MAP_BLOCKED_DOMAIN_LIST class-map CLASS_MAP_HTTP_TRAFFIC   match access-list TRAFFIC_TO_INSPECT_FOR_BLOCKED_DOMAINS policy-map type inspect http POLICY_MAP_HTTP_INSPECTION   parameters   class CLASS_MAP_DEFINE_TRAFFIC_TO_INSPECT   drop-connection log policy-map POLICY_MAP_OUTSIDE_INTERFACE class CLASS_MAP_HTTP_TRAFFIC   inspect http POLICY_MAP_HTTP_INSPECTION service-policy POLICY_MAP_OUTSIDE_INTERFACE interface outside

Blocking Google Talk (Cisco ASA)

Problem

You want to block access to Google Talk, but not disrupt other services like Google Search and Gmail.

Solution

Yes, you could write a REGEX and block it with an MPF, like I did here, to block Facebook. But Google Talk only runs on 4 servers and uses 4 ports.

1. Connect to the Cisco ASA, and go to configure terminal mode.

PetesASA> PetesASA> en Password: ******** PetesASA# configure terminal PetesASA(config)#

2. Lets keep things neat and name our four Goolge Talkservers.

PetesASA(config)# name 216.239.37.125 Google-Talk-Server-1 PetesASA(config)# name 72.14.253.125 Google-Talk-Server-2 PetesASA(config)# name 72.14.217.189 Google-Talk-Server-3 PetesASA(config)# name 209.85.137.125 Google-Talk-Server-4

3. Then lets create a group for those servers.

PetesASA(config)# object-group network Google-Talk-Servers PetesASA(config-network-object-group)# network-object host 216.239.37.125 PetesASA(config-network-object-group)# network-object host 72.14.253.125 PetesASA(config-network-object-group)# network-object host 72.14.217.189 PetesASA(config-network-object-group)# network-object host 209.85.137.125

4. And then a group for the ports we want to block.

PetesASA(config-network-object-group)# object-group service Google-Talk-Ports tcp PetesASA(config-service-object-group)# port-object eq 5222 PetesASA(config-service-object-group)# port-object eq 5223 PetesASA(config-service-object-group)# port-object eq https PetesASA(config-service-object-group)# port-object eq www

5. To tie it all together we can simply add one ACL.

PetesASA(config-service-object-group)# access-list outbound line 1 deny tcp any object-group Google-Talk-Servers object-group Google-Talk-Ports

Note: This assumes you have an ACL called "outbound" thats applied to your outbound traffic, yours may have a different name, to find out issue a "show run access-group" command like so, your outbound ACL will be allied "in interface inside". If yours is called something different then change the command above accordingly. If you don't have one at all skip to step 6.

PetesASA(config)# show run access-group access-group outbound in interface inside access-group inbound in interface outside PetesASA(config)#

6. Only carry this step out if you DO NOT have an ACL applied to outbound traffic. andAFTER you have carried out step 5.

PetesASA(config)# access-group outbound in interface inside PetesASA(config)# access-list outbound permit ip any any