I have a Cisco ASA 5515, and I have configured as follows:
ASA Version 9.2(2)4
hostname ciscoasa
enable password ********* encrypted
names
!
interface GigabitEthernet0/0
nameif Public-IP
security-level 0
ip address 202.67.23.37 255.255.255.0
!
interface GigabitEthernet0/1
nameif CC-Camera
security-level 50
ip address 10.10.20.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif Computer-Lab
security-level 90
ip address 10.10.21.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif Private-LAN
security-level 100
ip address 10.10.22.1 255.255.255.0
!
interface GigabitEthernet0/4
nameif Wireless
security-level 80
ip address 10.10.23.1 255.255.255.0
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
object network CC-Camera-subnet
subnet 10.10.20.0 255.255.255.0
object network Computer-Lab
subnet 10.10.21.0 255.255.255.0
object network Private-LAN
subnet 10.10.22.0 255.255.255.0
object network Wireless
subnet 10.10.23.0 255.255.255.0
!
object network CC-Camera-subnet
nat (CC-Camera,Public-IP) dynamic interface
object network Computer-Lab
nat (Computer-Lab,Public-IP) dynamic interface
object network Private-LAN
nat (Private-LAN,Public-IP) dynamic interface
object network Wireless
nat (Wireless,Public-IP) dynamic interface
access-group Public-IP_access_in in interface Public-IP
access-group CC-Camera_access_in in interface CC-Camera
route Public-IP 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
My issue is as follows:
My client wants Facebook, YouTube, torrents, etc. to be blocked. How can I do so using ASDM?
ciscoasa(config)# sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515 FCH200571ES
ips Unknown N/A FCH200571ES
cxsc Unknown N/A FCH200571ES
sfr FirePOWER Services Software Module ASA5515 FCH200571ES
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 00c8.8bd3.9f63 to 00c8.8bd3.9f6a 1.0 2.1(9)8 9.2(2)4
ips 00c8.8bd3.9f61 to 00c8.8bd3.9f61 N/A N/A
cxsc 00c8.8bd3.9f61 to 00c8.8bd3.9f61 N/A N/A
sfr 00c8.8bd3.9f61 to 00c8.8bd3.9f61 N/A N/A 5.3.1-152
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr ASA FirePOWER Up 5.3.1-152
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
<--- More --->
cxsc Unresponsive Not Applicable
sfr Up Up
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual
As there is firepower module status up, I am hoping we can block certain websites, but I couldn't see the options to do so.
Best Answer
Your question is how to configure the Sourcefire IPS via the Sourfire Management Center to block certain sites.
URL Filtering on a FireSIGHT System Configuration Example
Exclusion of a Specific Site from Blocked URL Category
FireSIGHT Management Center does not allow you to have a local rating of URLs that override the default Sourcefire provided category ratings. In order to accomplish this task, you must use an Access Control policy. These instructions describe how to use a URL object in an Access Control rule in order to exclude a specific site from a block category. Navigate to Objects > Object Management page.
Select Individual Objects for URL, and click the Add URL button. The URL Objects window appears.