Many organizations face productivity drains from social media usage. While URL filtering seems straightforward, modern CDNs and DNS load balancing make IP-based blocking particularly challenging. Facebook alone uses thousands of IP addresses across multiple ASNs (Autonomous System Numbers).
Instead of relying on single DNS lookups, we need systematic methods:
# Method 1: Using dig with DNS tracing
dig +trace facebook.com | grep "IN A" | awk '{print $5}'
# Method 2: Querying ASN records
whois -h whois.radb.net '!gAS32934' | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}\/[0-9]{1,2}'
# Method 3: Historical IP collection (Linux)
curl -s https://bgp.he.net/AS32934#_prefixes | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}' | sort -uThe ASA's object-group feature provides a scalable solution:
object-group network SOCIAL_MEDIA_BLOCK
network-object 31.13.24.0 255.255.248.0
network-object 157.240.0.0 255.240.0.0
network-object 2a03:2880::/32
description "Facebook IP ranges"
!
access-list OUTSIDE-IN extended deny tcp any object-group SOCIAL_MEDIA_BLOCK eq www
access-list OUTSIDE-IN extended deny tcp any object-group SOCIAL_MEDIA_BLOCK eq 443While ASDM prefers IPs, you can:
- Create network objects via Configuration > Firewall > Objects > Network Objects/Groups
- Use the bulk import feature with CSV files containing IP ranges
- Schedule rule updates via CLI scripts when IPs change
Create an automated update script:
#!/bin/bash
# Fetch latest Facebook IP ranges
curl -s https://ipinfo.io/AS32934 | jq '.prefixes[] | .netblock' | tr -d '"' > /tmp/fb_ips.txt
# Generate ASA config
echo "object-group network SOCIAL_MEDIA_BLOCK" > fb_asa.cfg
while read -r ip; do
echo " network-object $ip" >> fb_asa.cfg
done < /tmp/fb_ips.txt
# Push config via SSH
ssh admin@asa-ip "configure $(cat fb_asa.cfg)"Consider these temporary measures:
- DNS-based filtering via internal DNS server (block facebook.com at DNS level)
- Transparent proxy using nginx with pattern matching
- Browser policy enforcement through Group Policy (Windows) or managed Chrome profiles
When attempting to block Facebook and similar sites via IP on Cisco ASA, engineers immediately encounter Facebook's sophisticated DNS load balancing system. Running simple DNS queries reveals the core challenge:
$ dig www.facebook.com +short
31.13.71.36
$ nslookup www.facebook.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.facebook.com
Address: 157.240.203.35For temporary blocking before implementing Squid, consider these methods:
- Use Facebook's ASN (AS32934) to gather IP ranges:
whois -h whois.radb.net '!gAS32934' - Leverage DNS enumeration tools:
for i in {1..10}; do dig @8.8.8.8 www.facebook.com +short; done | sort -u
When ASDM doesn't provide direct hostname blocking, create network object groups:
object-group network FACEBOOK-NETWORKS
network-object 31.13.64.0 255.255.240.0
network-object 157.240.192.0 255.255.240.0
network-object 2a03:2880::/32
!
access-list OUTSIDE-IN extended deny tcp any object-group FACEBOOK-NETWORKS eq www
access-list OUTSIDE-IN extended deny tcp any object-group FACEBOOK-NETWORKS eq 443For environments where IP blocking proves unreliable, consider these workarounds:
- Internal DNS override:
zone "facebook.com" { type master; file "fb-redirect.db"; }; - Transparent Squid proxy with delay pools (interim solution):
delay_pools 1 delay_class 1 3 delay_parameters 1 16000/16000 -1/-1 -1/-1
Implement regular checks to ensure blocking remains effective:
#!/bin/bash
FACEBOOK_IPS=$(dig +short www.facebook.com | grep -P '^\d+\.\d+\.\d+\.\d+$')
CURRENT_BLOCKS=$(ssh firewall 'show run object-group FACEBOOK-NETWORKS')
for ip in $FACEBOOK_IPS; do
if ! grep -q $ip <<< "$CURRENT_BLOCKS"; then
echo "New Facebook IP detected: $ip"
# Add automation to update ASA config
fi
done