ACL question

Answered Question
Jun 19th, 2008

How do I create an ACL that would only allow specific sites to go through if I didn't know the IP and only know the DNS name. Say I want to allow only these two sites *.cisco.com and *.yahoo.com then block all others. Can I do that?

This is on an ASA 5510.

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 7 months ago

AFAIK this is not supported on the ASA/PIX.

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Thu, 06/19/2008 - 08:42

amadoutoure, how does MPF achive that? Can you expand upon your comment.

How will MPF keep track of the DNS entry of cisco.com (which say changes frequently).

Ever did a nslookup on google.com (you get multiple IPs)?

We do this on one of our Customer's Netscreen ISG tough, it supports this.

Regards

Farrukh

Amadou TOURE Thu, 06/19/2008 - 09:04

Hello,

I'm out of office for now and I'll send a sample config as soon as I go back to office.

It will be done using regex syntax.

Regards

Farrukh Haroon Thu, 06/19/2008 - 09:19

Oh I get your point now. Thanks for waking me up now. Even tough its not as flexible as a proper filtering solution (because since we are denying based on hostname, the user can simply open the URL by IP, open google's cache etc.):

policy-map type inspect http TEST_HTTP

parameters

match request uri regex cisco.com

.....

Something like this:

http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP

Regards

Farrukh

Actions

This Discussion