Cisco ASA Block

This example will apply to Cisco ASA/PIX v8.x-v9.x

Need a Cisco ASA for studying? Buy one here -

1. Add Access Lists to define the protocol or port number in which your domains apply.

NOTE: The access-lists in this example will apply to any source and destination, you can specify the source/destination you wish to block. This can be a Host, a Subnet or object.

asa(config)# access-list BLOCK_ACL extended permit tcp any any eq www

IMPORTANT: The Cisco ASA alone is not able to block HTTPS because the contents of HTTPS is of course, encrypted. Therefore, if you add an ACL for HTTPS, since the ASA cannot do deep packet inspection it will not know the difference and result in blocking all HTTPS traffic.

2. Add a Regex to define your domain(s).

asa(config)# regex Google "\.google\.com"

3. Add a Class-Map for type Regex where you will group all your regex domains.

asa(config)# class-map type regex match-any BLOCK_REGEX_MAP
asa(config-cmap)# match regex Google

4. Add a Class-Map for type Inspect for inspecting HTTP traffic based on the Regex Class-Map you created in step 3.

asa(config)# class-map type inspect http match-all BLOCK_REGEX_HTTP
asa(config-cmap)# match request header host regex class BLOCK_REGEX_MAP

5. Add a Class-Map to group your Access-list's.

asa(config)# class-map BLOCK_ACL_MAP
asa(config-cmap)# match access-list BLOCK_ACL

6. Add a Policy-Map to define the action taken for your Class-Maps.

asa(config)# policy-map type inspect http BLOCK_ACTION
asa(config-pmap)# parameters
asa(config-pmap-p)# protocol-violation action drop-connection
asa(config-pmap-p)# exit
asa(config-pmap)# class BLOCK_REGEX_HTTP
asa(config-pmap-c)# drop-connection log
asa(config-pmap-c)# exit
asa(config-pmap)# exit

7. Create a Policy-Map that you will apply to an interface. The policy-map will apply the action taken based on the ACL's you created.

asa(config)# policy-map BLOCK_POLICY
asa(config-pmap)# class BLOCK_ACL_MAP
asa(config-pmap-c)# inspect http BLOCK_ACTION

8. Apply Policy-Map to desired interface.

NOTE: Each interface can only support having one policy at a time. Because of this I like to practice creating a policy-map for each interface that way if i need to add multiple policies or classes to a single interface, i can do so by adding the last step to the interface's dedicated policy.

asa(config)# service-policy BLOCK_POLICY interface internal

The results of this should be in your browser not being able to load the domain you requested. You can also block extensions, applications as well as ports.

View Cisco's full documentation for further reference here -> Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example

Need a Cisco ASA for studying? Buy one here -