Ssl offloading might be the solution to block any thing like that. The other way is to block using DNS MPF. Search of fqdn like Facebook.com and the reset the connection. No one will be able to resolve Facebook ip address hence practically denying the way.
On Thursday, October 11, 2012, Adil Pasha wrote: > Just so you know that https://www.skype.com is being blocked without > 'protocol-violation action reset' command. > > > Best Regards. > ______________________ > Adil > > On Oct 11, 2012, at 5:49 PM, Adil Pasha <[email protected]<javascript:_e({}, > 'cvml', '[email protected]');>> > wrote: > > Thanks Piotr. > > Then why https://www.skype.com is being blocked? > <Screen Shot 2012-10-11 at 5.45.30 PM.png> > > Still do not understand they why 'protocol-violation action reset' command > blocks https://www.facebook.com. But it also blocks all other https > websites. > > policy-map type inspect http BlockDomainClass_user2 > parameters > protocol-violation action reset > > <Screen Shot 2012-10-11 at 5.47.20 PM.png> > > > > > > Best Regards. > ______________________ > Adil > > On Oct 11, 2012, at 5:27 PM, Piotr Matusiak <[email protected]> wrote: > > Adil, > > Since FB is using HTTPS there is no way to block it with url matching. The > URL is encrypted. > All you can do is to block based on IP which can be difficult and not > reliable. > > It could be possible using FPM on the routers by matching CN in the > certificate. > > Other option in real life is to have ASA-CX :) > > Regards, > Piotr > > > > On Oct 11, 2012, at 9:59 PM, Adil Pasha wrote: > > Hi guys, > Does anyone know how to block https://www.facebook.com/login.php page > using MPF? > > The only way I am able to block Facebook login page is using the following: > > policy-map type inspect http BlockDomainClass_user2 > parameters > protocol-violation action reset log > class BlockDomainClass_user2 > > But if you use protocol-violation command it blocks all https traffic to > any website. Any explanation? > > All the explanation on these websites did not work. Seems like Facebook > has hired some really advance level developers :) > > > http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm > https://supportforums.cisco.com/docs/DOC-1268 > And new 8.4 version has a very basic solution: > https://supportforums.cisco.com/docs/DOC-1268 > > > The normal configuration on the following links cannot block the above > link. > Also, if the above link can be launched using > Google.com<http://google.com/>search and then click on Login. > > I am not finding any solution. > > This better not be the exam question till Cisco completely provides the > solution. I have tested it using ver 8.2, 8.3 and 8.4. > > Thanks for any help in advance. > > Best Regards. > ______________________ > Adil > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > <http://www.platinumplacement.com/> > > > -- FNK, CCIE Security#35578
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
