My company uses a pair of 5510 ASAs as the gateway to Internet. I once configured policy-map to filter certain webpages (facebook, twitter, ...etc) and they work fine. However nowdays those websites all support HTTPS. In the https the URL seems encrypted so can't do regex match... Is there anyway that I can still block those webpages?
Another two ways I can think of are
1. Block IPs (don't really want do this unless absolutely necessary)
2. Block DNS for the URL (however they can work around by setting static DNS entries)
I am running a Cisco ASA 5510 with Trend Micro Interscan. We have it set up to filter https except for a handful of sites. It is filtering the ones we don't want ie: facebook, and youtube. Though it is causing all other https to slow to a crawl. Therefore some sites it times out on us. What should we be looking for to change so it isn't slowing the allowed sites down?
Running ASA 5510 with code 8.3 in it.We have our few https portal and OWA websites in HO.We access these sites from the network behind the ASA.All works perfectly fine.
In order to have control on internal network traffic we placed a web-filtering device (Fortigate) in transparent mode.To start with of we haven't blocked anything via new box but https portal and OWA stopped working from certain computers.At the same time other https sites were reachable from the same computer/s.We checked that website was tracable using traceroute from ASA,Fortigate and even from interal computer(from the one which it is not opening).This behaviour is random.
I want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?
I have installed a new ASA5510 with CSC, and everything is working properly except the access to websites using https. All sites/access to them seem to be blocked by the ASA. I have read that this access is by default enabled and I have tried to add configuration to allow https access to the firewall but without success. [code]
i am unable to launch ASDM, and access https:// to run Asdm..everything worked find yesterday but now for some reason it wont work?When i am trying to log in with the asdm it just hangs on the connecting to device... please wait...When i am tryng access the https://... i get the ssl do you want to trust.. and i press proceed anyway and i get an error
Asa 5510 Device manager version 6.1 System image file is "disk0:/asa804-k8.bin
Also i am accessing the asa with ssh without any issues
I purchased a SA520W for my company, and i have some probles for configuring firewall. I want to deny access to facebook, youtube and twitter but not for 4 hosts which needs this websites for work. I tried to configure content filtering > blocking URLs but with this solution, I deny acces for all users, So, I tried to make IP v4 rules :
The 4 hosts who may access to these websites are 192.168.50.124 to 127
Example : FROM Zone : LAN TO : WAN Service : Any Action: block always Source hosts : 192.168.50.32 to 192.168.50.123 destination hosts : 66.220.158.11 (one of the facebook's ip)
but it does not work. So, I am looking for an other solution, or maybe my rule is not correctly configured ?
I'm looking at creating WLANs using standalone APs for the first time. I know this can all be done with trivially a controller, but this project can't stretch to that...Can I use MAC filtering on standalone APs to restrict which clients associate?I think these will be 1240AG devices but I assume the answer is the same for all models?Can I mix MAC filtering with WEP/WPA? And use MAC filtering without encryption?
I have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.
I'm new on this site and having SLM2008 switches. I've been trying to solve the problem for quite a while, but so far I was unable to solve it. So here it is:
I'm trying to send IP TV from ADSL box (aka Free box) located in a small annexe of the house where the telephone line enters. Whole house is wired with 1Gb CAT6 cable. I'm using this wiring to get internet connectivity in different parts of the house and this works great. Now the idea was to create a separate VLAN on my 3 SLM2008 switches to get IP TV stream from ADSL box to the media box (also provided by ISP, aka Freebox HD). Different V LAN configs did not work for me: Free box HD would stuck on boot claiming it doesn't "see" the network. So then I've decided to go from simple things to more complex and removed the V LAN (came back to default config) and connected ADSL box with Free box HD with just one SLM2008 in between. Surprisingly it did not work! Same error on Free box HD! So I plugged the hub and started my Wire Shark to see what is going on.
First tried without the switch (just with a hub in the middle) and I saw successful connection: 1) Freebox HD send DHCP Discover 2) ADSL box responds with DHCP Offer 3) HD sends DHCP Request 4) ADSL issues a DHCP lease
Free box HD is ready to show any channel from ISP.
Secondly I plugged SLM2008 back and looked at traffic right after ADSL box: No DHCP packets seen at all! Then I moved hub next to Free Box HD and I saw it keep sending DHCP Discover every 30 seconds or so.... And it was not getting reply back.
So my conclusion is that SLM2008 for yet unknown reason would not let DHCP discover pass.... I've tried un managed Net Gear switch and *boom* Free box HD booted without a problem. I looked through SLM2008 settings and I have not found something relevant.
How to make my switch pass DHCP discover? If yes my next question would be how to configure V LAN on 3 switches to make it deliver IP TV to my TV set.
We have a mix of 1231 and 1242 access points in an LWAPP environment. They are connected to WiSM controllers in our 6509's and are managed by a central WLC. Everything is running version 7.0.230. My question is can I apply MAC address filtering on a select group of AP's to restrict access to a specific SSID broadcast on these AP's without affecting other AP's also connected to the same WiSM?
I have two sets of local users who access internal networks vai the Anyconnect application on a Cisco ASA 5505.One user needs to access 1 ip address while about 7 users access abotu 4 addresses.
I have a group called xyz1 which currently has the one user in the connection profile. I guess to reaffirm my thought, If I create another connection entry called xyz2, can I assign the other 7 or 8 users to it?
If I can do this, how can I ensure that each connection entry only has access to specific IP addresses on the internal network?
One of our customers has an ASA5510 with CSC SSM-10 security module. The software version of the module is 6.6.1125.0.Is it possible to do https filtering with this module ? The customer is complaining that this is not possible...from Cisco I've read the following:
• HTTPS Filtering – Able to allow or block HTTPS traffic. – Supports group-based and user-based HTTPS policies. – Includes URL blocking/URL exception list support for HTTPS domains.
I'm trying to access my ASA 5505 by https://192.168.1.1 but I can't. I'm using Windows 7. I already have installed ASDM and I can enter in the box by ASDM. I am preparing to reformat my PC and I'm afraid that I won't be able to access my ASA if I do.
The Mozilla show the message: An error occurred during a connection to 192.168.1.1.Cannot communicate securely with peer: no common encryption algorithm(s).(Error code: ssl_error_no_cypher_overlap)
Windows IIS server configured behind a Cisco ASA 5540 listening on port 443 currently. Access-list and static translation configured. I have been ask to redirect all port 80 calls to port 443 for this web site only at the firewall. I have suggested moving it behind our content switch with negative results. Can we do this at the firewall level? how to accomplish the redirect for a single site. 8.2.4 is current code
I am setting up an ASA 5550 8.4 and asdm 6.4. Last thing I am missing is to get the static nat rule done for https. Done it with asdm and cli and always end up with "error: nat unable to reserve the port". Looked around the Net so far and changed the http enable port to 4433. ASDM access is only configured for inside and mgmt port. Disabled under RA VPN all checkboxes in clientless ssl and any connection profiles since IKEv1 is used for vpn access.
We have an ASA5505 UL bundel, updated with this license "L-ASA5505-SEC-PL=" to enable traffic from DMZ to Inside. No NAT or rules deployed for that yet.
On the Inside we have Exchange 2007 in a single server installation. The public url for smtp, ActiveSync, OWA and Outlook Anywhere is mail.company.se. There is a static NAT for outside traffic to access above mentioned services on inside. Now, on DMZ there is the WLAN for guests to access the Internet. How ever, our Smart Phones with WLAN turned on, cannot sync to the Exchange Server on the Inside! The DMZ gets IP-addressen from ASA on DMZ Interface with external DNS configured. How can I configure the ASA to achieve the function of ActiveSync from DMZ to Inside with the public URL from the phones?
I have a request for blocking urls using a class map. I have made this work with HTTP, however it does not work for https. This is a 2851 router with IOS Version 12.4(15)T7. I see i could use the command "match protocol secure-https" however this does not let me specify any specific urls.
Does a new IOS version will support what I'm trying to do? Or if there is another way?
I have a closed network that is not connnected to the internet, just other sites that we want to communicate with. We have a cisco router connected to the outside interface on an ASA5505 and a cisco router connected to the inside interface on the same ASA5505. I have an inside interface that connects our management LAN, five separate DMZ interfaces with a separate LAN (VLAN) on each DMZ interface and the outside interface that connects to the other sites. Data is not allowed to mingle between the five DMZ's.
Alll connections to the other separate nodes are handled with the router on the external interface. IPSEC GRE tunnels have been established between all sites and BGP routing has been verified. Pings are good between inside, dmz and external interfaces and between the DMZ's and the other sites, to include hosts on our local networks and hosts at the remote sites. Inter and intra traffic is enabled.
When a remote site attempts an https connection, the initial ACK handshake makes it through the ASA5505, but the return SYN/ACK is being knocked down and I don't understand why (it is not because of ACL's, they are any any at this point).
Why the return SYN/ACK to the remote site isn't getting through the ASA5505 outbound. Will probably have the same issue with FTP, but right now, just trying to solve one problem at a time.
ASA5505 is in routed mode, not looking to NAT since the IP addresses in the DMZ need to be reached by their real IP address.
I have an ASA 5505 running 8.4.4.1. I've configured three WAN interfaces and have assigned failover on one of them (we have two ISP's, and a total of 3 static IP's in 3 different subnets). I've noticed that all the traffic is flowing through only one of the three interfaces, but I need to allow incoming https traffic on the second WAN port so I can access our Exchange server (we already use https on the first WAN port to access another server).
[code] WAN1 is the default outgoing route and we've configured several incoming services on it (smtp and https for example) and appears to be working properly as mail is coming and going and users can access the RDS gateway.I need to configure WAN2 to accept https traffic and send it to our Exchange server to enable OWA (webmail) access.I've configured the same Access and NAT rules on all three WAN interfaces for smtp (but I suspect only the first one is currently functioning at this point, I'll test it next chance I get). I thought all I'd have to do is configure an access and NAT entry on WAN2 (same as on WAN1), but direct the traffic to the OWA server instead of the rds gateway server, but it is not working.
In the realtime log I can see that it appears to be receiving the traffic on the WAN2 IP, but seems to be passing this through to the inside via the WAN1 interface.
I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Need to block https traffic using the CSC module.
I need to redirect all http and https traffic from one source in a dmz network, to port tcp/8080 on a proxy server on the inside network.
The source device doesn't handle proxying very well, so i've been advised to redirect the tcp/80 and tcp/443 ports to tcp/8080 as it passes through the firewall.
I have an ancient Alteon load balancer which only supports HTTP and telnet access. Our management people only allow HTTPS through the management firewall farm, and don't want to change this policy. So I need a low cost HTTPS to HTTP conversion, ideally on Cisco hardware like an ASA5505. It only needs one concurrent user. Is there a way to configure an ASA 5505 to terminate the inbound HTTPS seession and re-originate a HTTP management session to the Alteon? It looks to me as if the Clientless SSL VPN might do the job.Is there a way to do a SSH to telnet conversion on the ASA, or on a router?
Configuring an asa 5505 with 8.42 software.I need to access an https server on the inside via the outside interface. have moved the http server enable to port 10443.Tried to make a "network object nat rule"
I have a TAC on this, but thought I would throw it out here too. We recently upgraded a 5520 to 8.4 code so HTTPS traffic can filter through the CSC. Well, it takes several attempts to pull up any https pages. Cisco thought it may be hardware, so I swapped out the CSC, but before I go through the hassle of moving licnese, I brought a second ASA with CSC, which prior to this was their main ASA running 8.2 code and did not have issues, of course HTTPS did not filter through it either. the exact same thing happened on this ASA. So apparently it is not hardware related. One other thing I found, if I bypass https, it still happens, and the only solution is to shut down the CSC module. Now I think it may be the ASA policy that while not the cause, but is being difficult. I found that if you pull SIP inspections out, and reapply them in testing voice issues, you must reboot the ASA for them to work again. I am wondering if this is the case with the HTTPS traffic not releasing from the CSC even with the ACL having it removed. I need to try that next.
