Cisco Firewall :: ASA 5520 To Block Https Traffic But Users Are Able To Open Website
Jul 1, 2011
We have ASA 5520 with CSC-SSM 20 and we want to block https traffic but when we are blocking https traffic http traffic going to block but user are able to open website.
I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Need to block https traffic using the CSC module.
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
Right now, in my network there is no proxy server and all users go straight through the ASA to access internet. I would like to put a squid with dansguardian (for web filtering). Steps in getting all http and https traffic from ASA go via my squid?
I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.
Running ASA 5510 with code 8.3 in it.We have our few https portal and OWA websites in HO.We access these sites from the network behind the ASA.All works perfectly fine.
In order to have control on internal network traffic we placed a web-filtering device (Fortigate) in transparent mode.To start with of we haven't blocked anything via new box but https portal and OWA stopped working from certain computers.At the same time other https sites were reachable from the same computer/s.We checked that website was tracable using traceroute from ASA,Fortigate and even from interal computer(from the one which it is not opening).This behaviour is random.
We have an ASA 5505 and I want to block www.facebook.com for all users on the inside network. I followed the instructions laid out in Cisco support document ID 100513 using regular expressions with MPF but am running into some problems.
[URL]
Once the configuration has been changed based on these instruction www.facebook.com is blocked. However I can't access any other websites except my Google News home page comes up just fine for some reason.
I want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?
I have a TAC on this, but thought I would throw it out here too. We recently upgraded a 5520 to 8.4 code so HTTPS traffic can filter through the CSC. Well, it takes several attempts to pull up any https pages. Cisco thought it may be hardware, so I swapped out the CSC, but before I go through the hassle of moving licnese, I brought a second ASA with CSC, which prior to this was their main ASA running 8.2 code and did not have issues, of course HTTPS did not filter through it either. the exact same thing happened on this ASA. So apparently it is not hardware related. One other thing I found, if I bypass https, it still happens, and the only solution is to shut down the CSC module. Now I think it may be the ASA policy that while not the cause, but is being difficult. I found that if you pull SIP inspections out, and reapply them in testing voice issues, you must reboot the ASA for them to work again. I am wondering if this is the case with the HTTPS traffic not releasing from the CSC even with the ACL having it removed. I need to try that next.
I have an ASA 5505 with the base license,When I setup the DMZ interface I had to add the deny access to the inside VLAN. The DMZ works fine with WiFi on it, but user's iPhones can't get email unless they turn WiFi off.Is there a simple way to allow HTTPS traffic through the DMZ interface to our internal Exchange server which is NAT'd on the 5505's external IP?
I have an ASA 5505 that I am using to connect my contractors to via an inside interface, the outside interface is my private LAN. I have setup on our corporate Proxy server to allow traffic from my outside interface of my ASA to go to the internet without credentials BUT log internet activity. The question is I want to know if the ASA can send that http & https traffic to my proxy server and all other traffic to my default route? I want to be able to send all internet traffic to my proxy server. This will avoid me asking the contractors to place proxy credentials in their browsers.
I am having a setup with a 2851 router & websense url filtering server where I need to forward the traffic to websense server for all the internet requests. The http traffic is getting filtered properly, but the https traffic is not getting filtered. The two commands I ahev given for http & http are as follows: ip inspect name test http urlfilter ip inspect name test https.
On one of our firewalls we hosting a application/service which impacts clients and we recently conducted a Pen test, the external company doing the Pen test have advised us that there is a vulnerability relating to OpenSSL. We have checked the server and there is no OpenSSL installed so the only place where it could be picking this up is on the ASA, is this correct?Here is the report from the company that conducted the test:4.3 Network Security An outdated OpenSSL package was identified that was vulnerable to a heap corruption bug that may be exploited by an attacker to acquire command execution on the host, or to create denial of service conditions. Table 7 provides an overview of the risk identified per network assessment category, along with recommendations for resolving the issues identified. Category
Risk Summary Recommendations Patch Management High
The OpenSSL package installed on one host was identified as being outdated and subject to a heap corruption bug. Update the outdated / vulnerable OpenSSL package to the latest stable version. We have an ASA5520 and running the following version: Cisco Adaptive Security Appliance Software Version 8.2(5)2 How do we check the OpenSSL on the ASA and secondly do we need to update the ASA software version ?
I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).
The problem that I have is the users can access to the web site through the public´s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.
I am new at ASA 5520 and CSC module (version 6.3). I would like to know what configurations are possible for my network users if i use the CSC trend micro blocking using IP address or AD users, I know that i could select users/groups from the windows AD or select the IP addresses that i want to use for blocking or permit HTTP traffic (URL, etc).
My question is on the client side, how the CSC knows what AD users is the one that is requesting certain HTTP pages, or if i user a proxy server, i lose the IP/users options on the CSC??..or i could use authentication options on the proxy for example?.
I have been looking information about this but the manuals only explain the configuration options that i could configure on the CSC Trend Micro page, but it doesn't say which network environment i could use or need.
I am runninng a ASA5520 and ASDM 6.2, I have recenly noticed some MSN traffic on our network. Is there a ASDM policy that I can apply to kill all MSN and Yahoo traffic ? I am looking to block this chat traffic on our network.
I have the below policy-Map in my firewall,according to this policy map how can i block teamvirewer via asa 5520, i don't want the outside users to connect using teamviewer to their servers which is already ready up for teamviewer actions
i want to allow only 1 ip address to use team viewer (172.30.30.100)
class-map inspection_default match default-inspection-traffic ! !
I'm using ASA 5515X my concern is I was not able to block the traffic of P2P such as BitTorrent etc. I was also view some technotes on how to use webfilter without using Websense or Smartfilter tools and lucky I'm able to block certain websites. how to block the traffic of P2P?
How can I block Ultrasurf Application?I have configured Cisco ASA 5520 with Cisco CSC-SSM module. I have blocked everything Except Business and banking activities.But user can access A 2 Z traffic through Ultrasurf.exe application. which bypasses all possible firewalls.How can I blocked this application?
I have a 5520 ASA using wccp redirection to our IronPorts on the inside and everything works great for inside users. What I'm trying to do is get VPN users off split tunneling and to filter their traffic through the IronPorts as well but I can't figure out how. When they connect they seem to bypass the Ironport completely.
Is it possible to block internet traffic on the PC using ASA5501 firewall which is used in transperent mode.The DHCP pc is working fine we just need to pass through ASA to block the internet on the pc however intranet should be available.
Having some problems blocking users installing/using secure browsers proxy. Currently runing ASA 5520 ver. 8.3 & IPS SSM-20 7.0 (2) E4 & Websense web filtering. Able to block most proxy sites with Websense that use port 80 but recently found that some users using some products like Njutrino that use their own secure browser that use it's own proxy over SSL connection.