3. Blocking GoToAssist with Cisco ASA

Blocking GoToAssist with Cisco ASA

One way to do this. You need to create a black list of domains.

Note: URL Filtering on the ASA is not very good. It may cause legitimate sites to be blocked that shouldn't. Also this way of blocking only drops the connection. No warning page or error will appear on the users screen. A much better way to block websites is by using OpenDNS, Squid, or other proxy or filtering service.

Here is the Configlet for this how-to:

regex domainlist1 ".facebook.com" regex domainlist2 ".myspace.com" regex domainlist3 ".youtube.com" ! access-list URLfilter extended permit tcp any any eq www ! class-map type regex match-any DomainBlockList match regex domainlist1 match regex domainlist2 match regex domainlist3 ! class-map type inspect http match-all BlockDomainsClass match request header host regex class DomainBlockList ! class-map type regex match-any URLBlockList ! class-map type inspect http match-all BlockURLsClass match request uri regex class URLBlockList ! class-map httptraffic match access-list URLfilter class-map type inspect http match-all BlockURLsClass match request uri regex class URLBlockList !  policy-map type inspect http http_inspection_policy parameters protocol-violation action drop-connection match request method connect drop-connection log class BlockDomainsClass reset log ! policy-map inside-policy class httptraffic inspect http http_inspection_policy ! service-policy inside-policy interface inside

Steps (4 total)

1

Add the domains you want to block.

These are added by using Regex expressions, here are three example domains:

regex domainlist1 ".facebook.com"  regex domainlist2 ".myspace.com"  regex domainlist3 ".youtube.com"

You can add up to 100 expressions.

Then tie these expressions together:

class-map type regex match-any DomainBlockList  match regex domainlist1  match regex domainlist2  match regex domainlist3

2

Create an Access List for what IPs this list should apply to

In our example, we are applying this to all internal IPs:  access-list URLfilter extended permit tcp any any eq www

If you have any IP's you do NOT want effected by this policy simply add a deny access list to the URLfilter list with the IP's or object group you want it to apply to.

3

Create your policy that enforces your list and ties your ACL to it

class-map type inspect http match-all BlockDomainsClass  match request header host regex class DomainBlockList  !  class-map type regex match-any URLBlockList  !  class-map type inspect http match-all BlockURLsClass  match request uri regex class URLBlockList  !  class-map httptraffic  match access-list URLfilter  class-map type inspect http match-all BlockURLsClass  match request uri regex class URLBlockList  !  policy-map type inspect http http_inspection_policy  parameters  protocol-violation action drop-connection  match request method connect  drop-connection log  class BlockDomainsClass  reset log  !  policy-map inside-policy  class httptraffic  inspect http http_inspection_policy

4

Activate your policy

service-policy inside-policy interface inside

NOTE: Every time you add or remove a regex expression you will need to remove this line then re-add it in order for the changes to go into effect.

/r/Cisco Thread
Previous
Next

Recently removed from /r/Cisco

AI Threatening jobs cisco 9971 question Cisco certs Syslog across VPN? What does a network engineer do? Troubleshooting Anyconnect BB10 client, It connects but pinging fails. Other clients work fine. How can i get the ip addr of a switch or router without the sh run command? Unable to ping 2950 from 3750 via trunk BT infinity open reach with Cisco 2800 series Cisco 1921 - SSLVPN authenticaion with local database SF 300 + IP helper As I'm sitting here on a P1

More Random Comments

[LFP] Unique Curse of Strahd Campaign Starting Soon! What is the longest amount of time you have gone without bathing? Who would win in a death battle between Ichigo and Naruto? Dude buys a Nintendo Switch for a girl on Discord he's never met Weird wallets selling thousands of tokens...please read CMV: It should be illegal for a company to post they are hiring for a job without saying how much they are paying. Why did Jesus supposedly die for our sins if we are to this day still sinners from birth? How long after starting HRT did you present in public? White is the absolute worst paint to work with, but at least I can base decently, c&c appreciated FT: Galatasaray 1-3 Farul Constanta Parmi le collège, le lycée, les études supérieures ou la vie active, quelle partie de votre vie avez-vous préférer ? Buddy made me some psilocybin syrup thought y'all would think it's cool The 3090 is an absolute temperature nightmare I did it y’all! I paid off a $2k credit card in 2 months by donating plasma and working a side gig in addition to my full time job and raising a toddler. I’m exhausted, but I did it!!! Feels so good to finally see these zeros. People who live in the developed countries, what are your honest thoughts about immigration or immigrants?