In the earlier versions of Cisco Adaptive Security Appliance (ASA), specifically before version 9.7, blocking websites or specific URLs involved a more manual and intricate process using Modular Policy Framework (MPF) with Layer 7 (L7) inspections and regular expressions. In these versions, it was necessary to configure complex L7 regex-based class maps and policy maps to filter out specific HTTP header fields, particularly the `Host` field, which contains the URL that users attempt to access.
While this method worked, it was somewhat convoluted and error-prone. With the release of Cisco ASA version 9.7, however, Cisco introduced several improvements in traffic inspection, making URL filtering more streamlined and easier to configure. This post will walk you through how to block specific URLs in Cisco ASA post-9.7 using modern techniques.
### Why Move Away from the Old Method?
Before we dive into the newer methods, let’s summarize why the old method needed an overhaul:
- **Complexity**: The process required setting up multiple MPF components, including L7 regex class maps, L7 inspect class maps, and L7 policy maps. This involved managing various regex statements and mapping everything correctly, increasing the chances of misconfigurations.
- **Regex Limitations**: Using regular expressions to filter out websites based on the `Host` field often led to inefficiencies and could easily miss traffic due to the complexity of patterns or escape characters.
- **Maintenance Difficulty**: Updating the list of URLs meant editing regex patterns manually, which was cumbersome, especially for large lists of blocked URLs.
### What’s New in ASA Post-9.7?
With Cisco ASA version 9.7 and later, the process of URL filtering has been significantly improved with the introduction of the **ASA CX (Content Security) and FirePOWER modules**. These provide advanced URL filtering, application visibility, and easier policy management. Additionally, Cisco’s Next-Generation Firewalls (NGFW) bring integrated URL filtering capabilities that make this process seamless.
Here are the key features introduced in the newer versions:
- **Simplified Policy Creation**: URL filtering no longer requires manually configuring regex patterns and MPF-based policies. Instead, administrators can now use URL categories or lists to block or allow access to websites.
- **Granular Controls**: URL filtering can now be done based on predefined categories (such as Social Media, Adult Content, etc.) or custom lists, allowing for more flexible and targeted filtering.
- **Centralized Management**: With the integration of Cisco FirePOWER, URL filtering policies can be managed centrally via the FirePOWER Management Center (FMC), allowing for easier updates and management across multiple firewalls.
### Steps to Block URLs in ASA Post-9.7
Here’s how you can block URLs in Cisco ASA using the FirePOWER module or FMC post-9.7:
#### 1. **Install and Enable FirePOWER Module (if not already in place)**
First, ensure that the FirePOWER module is installed and enabled on your Cisco ASA device. If you haven't installed it yet, you'll need to purchase and integrate it. FirePOWER offers advanced threat detection and URL filtering features.
You can verify FirePOWER status on your ASA by running:
show module
#### 2. **Access FirePOWER Management Center (FMC)**
Once FirePOWER is installed and operational, access the **FirePOWER Management Center (FMC)** through a web browser. This interface allows you to manage and configure URL filtering policies.
#### 3. **Create a URL Filtering Policy**
Now, you’ll create a URL filtering policy that defines which URLs you want to block. Here’s how:
- Navigate to **Policies > Access Control > URL Filtering**.
- Create a new URL filtering policy by clicking on **Create Policy**.
- You’ll be presented with a list of predefined categories (such as Social Media, Gambling, Adult Content, etc.). You can select the categories of websites you wish to block or create a custom URL list with specific domains.
#### 4. **Add Custom URL Blocking**
If you want to block specific URLs (e.g., example.com or any other domain), you can add those to the **Custom URL List**:
- Go to **Objects > Object Management > URL**.
- Create a new custom URL object by adding the domains or specific URLs that you want to block.
- Save the URL object and use it in your URL filtering policy.
#### 5. **Apply the URL Filtering Policy**
Once the URL filtering policy is configured, apply it to the traffic flow:
- Navigate to **Policies > Access Control** and edit the existing access control policy or create a new one.
- In the access control rule configuration, under the **URL** tab, reference the custom URL filtering policy or predefined categories you created earlier.
- Save and deploy the policy to your ASA device.
#### 6. **Enable HTTP Inspection**
In addition to URL filtering, ensure that HTTP traffic inspection is enabled. By default, FirePOWER inspects HTTP traffic, but you should verify this configuration to ensure proper traffic flow and inspection. You can check this under **Policies > Access Control > Inspection**.
#### 7. **Monitor and Update Policies**
Once the policy is deployed, you can monitor the traffic logs to see which URLs are being blocked. FirePOWER provides detailed logging and reporting tools, so you can easily track which websites users attempt to access.
#### 8. **Deploy Across Multiple ASAs (if needed)**
One of the benefits of FirePOWER Management Center is the ability to push policies to multiple firewalls simultaneously. If you have more than one ASA, you can deploy your URL filtering policy across all of them from a single management console.
### Example Configuration (For Blocking URLs)
Here’s an example of how this process looks in practice:
1. **Create a Custom URL List**:
- Add `facebook.com` and `youtube.com` to the list for blocking.
2. **Create URL Filtering Policy**:
- Name: **Block Social Media**.
- Add the custom URL list (`facebook.com` and `youtube.com`).
- Apply the policy to the access control rule.
3. **Access Control Rule**:
- Create an access control rule that applies to HTTP traffic and references the **Block Social Media** URL filtering policy.
4. **Deploy**:
- Save the rule and deploy it to the ASA.
### Conclusion
Blocking websites on Cisco ASA post-9.7 has become significantly more efficient and straightforward thanks to the integration of FirePOWER and the FMC. With URL categories, custom URL lists, and centralized management, administrators can now easily block access to specific URLs without the complexity of regex-based filtering.
In summary, while the old way of using MPF with regex was effective, the modern approach is more flexible, scalable, and easier to manage. If you’re still using the pre-9.7 method, it’s highly recommended to upgrade and leverage the power of Cisco’s FirePOWER and FMC for better URL filtering capabilities.
