ACL question

Answered Question
Jun 19th, 2008
User Badges:

How do I create an ACL that would only allow specific sites to go through if I didn't know the IP and only know the DNS name. Say I want to allow only these two sites *.cisco.com and *.yahoo.com then block all others. Can I do that?


This is on an ASA 5510.

Correct Answer by Farrukh Haroon about 8 years 11 months ago

AFAIK this is not supported on the ASA/PIX.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 06/19/2008 - 05:33
User Badges:
  • Red, 2250 points or more

AFAIK this is not supported on the ASA/PIX.


Regards


Farrukh

Farrukh Haroon Thu, 06/19/2008 - 08:42
User Badges:
  • Red, 2250 points or more

amadoutoure, how does MPF achive that? Can you expand upon your comment.


How will MPF keep track of the DNS entry of cisco.com (which say changes frequently).

Ever did a nslookup on google.com (you get multiple IPs)?


We do this on one of our Customer's Netscreen ISG tough, it supports this.


Regards


Farrukh

Amadou TOURE Thu, 06/19/2008 - 09:04
User Badges:

Hello,


I'm out of office for now and I'll send a sample config as soon as I go back to office.

It will be done using regex syntax.


Regards


Farrukh Haroon Thu, 06/19/2008 - 09:19
User Badges:
  • Red, 2250 points or more

Oh I get your point now. Thanks for waking me up now. Even tough its not as flexible as a proper filtering solution (because since we are denying based on hostname, the user can simply open the URL by IP, open google's cache etc.):


policy-map type inspect http TEST_HTTP

parameters

match request uri regex cisco.com

.....


Something like this:

http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP


Regards


Farrukh



Actions

This Discussion