You can but it is not supportable. It is not dynamic. You have to do a DNS query on each host and block those IP's.
tyson@atr-lnx:~> nslookup www.google.com Server: 10.200.12.25 Address: 10.200.12.25#53 Non-authoritative answer: www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 209.85.225.106 Name: www.l.google.com Address: 209.85.225.99 Name: www.l.google.com Address: 209.85.225.147 Name: www.l.google.com Address: 209.85.225.104 Name: www.l.google.com Address: 209.85.225.103 Name: www.l.google.com Address: 209.85.225.105 tyson@atr-lnx:~> ciscoasa(config)# sh run url-server url-server (inside) vendor websense host 1.1.1.1 timeout 30 protocol TCP version 1 connections 5 ciscoasa(config)# sh run filter filter url 80-443 0.0.0.0 0.0.0.0 208.85.225.0 255.255.255.0 ciscoasa(config)# Having an invalid url-server will cause it to always be done that will always block it. Really in this regard a squid server is even a better choice. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Max Pierson Sent: Saturday, February 19, 2011 12:52 PM To: CCIE_RS OnlineStudyList Subject: [OSL | CCIE_RS] URL Filtering via ASA Hi Security Experts, I'm looking into doing some URL filtering (possibly content filtering). I see that the ASA only has options for Websense (which is out of the question) and Smartfilter. I believe this is the same Smartfilter i've used way back when (8 or so years ago) that use to be somewhat cheap for the content subscription feeds and ran via squid (so all you had to pay was for the feeds). Since Smartfilter was acquired by McAfee some time back, is there any option on the ASA to at a minimum filter out domains/urls without having to use either of those costly solutions?? Tight budget for this project :( Simple filter for ..... *.adobe.com *.google-analytics.com *.whatever.com I can do this via external squid box and some next-hop foo or just use OpenDNS, but I would like to use the ASA as the http(s) redirect point. Any ideas?? TIA, M _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
