Cisco Firewall :: ASA 5505 / Block Website With Regular Expressions Affecting All Internet?
Dec 27, 2011
We have an ASA 5505 and I want to block www.facebook.com for all users on the inside network. I followed the instructions laid out in Cisco support document ID 100513 using regular expressions with MPF but am running into some problems.
[URL]
Once the configuration has been changed based on these instruction www.facebook.com is blocked. However I can't access any other websites except my Google News home page comes up just fine for some reason.
I've recently switched to an ASA 5510 on 8.4(3) coming from a Checkpoint NGX platform (let's say fairly quickly and without much warning ). I have a couple questions and they're kind of similar so I'll post them up. I've read docs about regex and creating them both via command line and ASDM, but the examples always seem to include info I don't need or honestly something I don't understand yet (mainly related to defining classinspect maps). If someone could provide a simple example of how to do these in ASDM that would be useful in understanding how regular expressions are properly configured. So here we go.
I know this is basic but I need to make sure I understand this properly - I have a single web server (so this won't be a global policy) where I need to allow access to a specific URL pathfile and that's it. So we'll call it est estfile.doc. Any other access to any other path should be dropped. What's the best way to do this in ASDM (6.4)? I think if I saw a basic example for this I could figure out next few questions but I'll post them as well just in case.
I have another single public web server (again this won't be a global policy) where I'd like to specify blocking file types, like .php, .exe., etc... again a basic example would be great.
Lastly, and this is kind of related, but we have a single office/domain and sometimes we get spam from forged addresses appearing to be from our domain. On Checkpoint I used to use its built-in SMTP security server and could define if it received mail from *@mydomain.com to drop it because we would never receive mail externally from our own domain name. I saw something similar with ESMTP in ASDM and it looks kind of like how you set up the URL access mentioned above. Can I configure this in ASDM as well, and if so how?
I am trying to secure changes to switches using ACS 5.3 and allowing our technicians to only change the vlan for user ports on the switches. How can I use regular expressions to filter out the 1/1/# ports so that those ports cannot be accessed in config mode? If I allow the following, it allows access to all interfaces with 'gi' in them.
We have a PIX with 3 interfaces. Inside, Outside,DMZ.
On my DMZ we have some clients that come in and remotely connect back to there office via MSPPTP. I setup the ASA with this to get rid of the error message: regular translation creation failed for protocol 47 src
Now when the dmz client tries to connect back to there PPTP server I get the following error.
172.31.10.204 0 24.172.85.162 37624 Teardown dynamic GRE translation from dmz:172.31.10.204/0 to outside:24.172.85.162/37624 duration 0:01:30 172.31.10.204 1069 173.188.74.155 1723 Deny TCP (no connection) from 172.31.10.204/1069 to 173.188.74.155/1723 flags PSH ACK on interface dmz 172.31.10.204 173.188.74.155 63767 Teardown GRE connection 8393958 from dmz:172.31.10.204 to outside:173.188.74.155/63767 duration 0:01:08 bytes [ code]...
I have configure Cisco 5505 as layer 2 firewall mode. I have vendor machine connected to Cisco ASA 5505 on port 2 as VLAN2 inside then VLAN1 outside connected to my internal network on layer 2 cisco 2960 switch. This machine needs access only to LOGMEIN then block all internal/internet traffic.
vendor machine on vlan 2 inside >> Cisco ASA 5505 vlan1 outside >> layer2 switch >> internal LAN >> Cisco 5520 main FW >>> INTERNET
We have ASA 5520 with CSC-SSM 20 and we want to block https traffic but when we are blocking https traffic http traffic going to block but user are able to open website.
I have a website that is hosted by our company, but when the staff goes to the outside address of th website it gets denied by ACL thus page not found.
3Feb 20 201211:25:23192.168.3.5752928our Extrenal IP80TCP access denied by ACL from 192.168.3.57/52928 to inside: our External IP/80,OUr external ip is also the ip of the 5505.
We have a client that is running a PC on a internet over satellite. To avoid any unessecery traffic over the satellite link (data traffic is quite expensive), we've suggested to use a 5505, as we had one handy already.
So basically what we wanted was to block everything outgoing and everything ingoing, except for example port 22 (ssh).
But I'm struggling a bit, since this is my first cisco router to be configured.
My interfaces are as follows. Outside - DHCP Inside (port 1) - 192.168.1.1
I'm only running ipv4.
in ASDM I made a static NAT rule for port 22, being forwarded to 192.168.1.5 (the computer)
in Access rules I made under outside (incomming rules) source=any destination=outside service=ssh action=permit
But when I try to add further rules to block everything else, it takes the SSH on port 22 with it. How should I do this the easiest way?
I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply access-list outside_in in interface outside access-group outside_in in interface outside
I have a ASA 5505 that I have been using for a while, but a new ISP is trying to configure my service so that the outside interface has to be configured as DHCP to receive a reserved IP address, and then they will route a separate, non-contiguous block of addresses to that address.
Essentially, they have a DHCP reservation for 1.2.3.4 for my ASA, and then they have 10.2.3.16/28 as a separate block routed to me.
Obviously, I can do my static NAT translations using outside as the address, but I cannot get the separate block of addresses to route through the ASA. Is there a way to do this and get them to work? My ASA is running 7.2(2)
Well, I tried using the cisco configuration for ASA 5505 for blocking P2P: url...but this configuration only is usefull with programs like Kazaa, so I try this configuration to block ARES but the problem is that ARES try to make downloads from different ports, ¿How do I block ARES if there are sereveral ports ?
I'm using an ASA5505 (8.4(1)) and would like to block port 80 on a specific host in the LAN so machines in other remote LANs connected via VPN can't access this port on the host. Devices in the local LAN should have access to this port on the host. Here are the commands I'm using:
-access-list block_port extended deny tcp any host 10.20.10.20 eq 80 -access-list block_port extended permit ip any any -access-group block_port out interface inside
These commands are not working as I would expect them to. When I browse to http://10.20.10.20 from a remote machine over the VPN tunnel I am able to access the host web server.
How do I configure Cisco ASA 5505 (using ASDM 5.2) to block a workstation (IP address) from accessing internet completely? I was trying to set up a new incoming access rule for outside interface to deny any IP traffic to that workstation but it doesn't work from some reason - the workstation can still access the internet. The ASA has no special settings, only a few ports opened for servers?
I have site-to-site VPN and IPsec VPN installed on ASA 5505. VPNs work OK except few stranges:I can't ping 192.168.17.104 from remote ip 192.168.17.138 - 305006 192.168.17.138 regular translation creation failed for icmp src OLD-Private:192.168.17.104 dst OLD-Private:192.168.17.138 (type 0, code 0) in the same time I able to ping 192.168.17.104 from my network 192.168.10.0 and can ping from ASA No firewall at 192.168.17.104?How to fix it?
I am using Chrome as my primary broswer, but recently I can't get access to a particular website, but while I use other browsers to access that site, it is perfectly fast and without any problems at all. I don't know if i have accidentally pressed any key or accepted any setting that has made google chrome to block access to that site.
I want to block 10.0.0.1 and 192.168.1.1 but my router says invalid domain so if will the guess network be able to go to page 10.0.0.1 and 192.168.1.1 even though I don't block it? I have a bypass account but don't want anyone else to access 10.0.0.1 and 192.168.1.1. Also can you tell me some proxy sites I can block?
I have a 2800 router and tried so many ways to block the unwanted sites on my office network.Like access list ip based, null0 routing and policy map. Faced issues with below config
1. Creating Access-list. very difficulty to block the sites with https those sites will be opend, and we cant block all the IPs
2. Creating null0 routing. it also a bit deficult the block maximum sites because we can't fiend all IPs for those sites
3. Policy map.. with policy map we can only 1site we can block, but not more than one..
I heard that port based routing or port based access-list are the best ways to stop the websites in my local network..for this one i need to map the site to unsued ports then i need to null rouging or need to create the access-list.
How to block a specific website with a specific time (office hours) for example "facebook" I want to block facebook within 8AM - 12Noon then 12-1 they can access the website, then 1-4 block again the website .
I used the following statement to create Dynamic PAT to public IP address:
object network INSIDE_10.6 nat (any,any) dynamic PAT object network INSIDE_192.168 nat (any,any) dynamic PAT
Is that correct? Also I'm using one public address to PAT both inside networks. Is there any dvantage of using 2 different ones, so each inside network would be PAT to its own address?
I am configuring a pix 525,i just found out how to activate the subinterface on it so that's good,the box has a primary unit and secondary unit, both are connected from G0 to redundant switches,if i do a show failover, it says it's using the serial based lan failover, which is fine by me,however, do i need to create a single, regular interface.. or a redundant interface?,i.e. if i create a regular subinterface, will failover still apply to this interface?,or for failover to work, do i need to create a redundant interface (with a redundant id)? i do not seem to have the option to create a subinterface when adding a redundant interface.
I am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49 10.0.15.101 regular translation creation failed for icmp src inside:10.0.20.8 dst inside:10.0.15.101 (type 0, code 0)
The problem server is on sub net 10.0.20.0/24 and the server IP address is 10.0.20.8. Every device on the 10.0.20.0/24 sub net can hit the server, but devices on other sub nets cannot. For instance, a device on 10.0.15.0/24 cannot reach 10.0.20.8, but can reach other devices on 10.0.20.0/24.
Is it possible to block internet traffic on the PC using ASA5501 firewall which is used in transperent mode.The DHCP pc is working fine we just need to pass through ASA to block the internet on the pc however intranet should be available.
