cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
606
Views
0
Helpful
7
Replies

ACL question

ericluoma
Level 1
Level 1

How do I create an ACL that would only allow specific sites to go through if I didn't know the IP and only know the DNS name. Say I want to allow only these two sites *.cisco.com and *.yahoo.com then block all others. Can I do that?

This is on an ASA 5510.

1 Accepted Solution

Accepted Solutions

Farrukh Haroon
VIP Alumni
VIP Alumni

AFAIK this is not supported on the ASA/PIX.

Regards

Farrukh

View solution in original post

7 Replies 7

Farrukh Haroon
VIP Alumni
VIP Alumni

AFAIK this is not supported on the ASA/PIX.

Regards

Farrukh

Hello,

Modular policy framework allow you to do that.

Please check the document below at the section HTTP inspection policy map

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf

Regards

amadoutoure, how does MPF achive that? Can you expand upon your comment.

How will MPF keep track of the DNS entry of cisco.com (which say changes frequently).

Ever did a nslookup on google.com (you get multiple IPs)?

We do this on one of our Customer's Netscreen ISG tough, it supports this.

Regards

Farrukh

Hello,

I'm out of office for now and I'll send a sample config as soon as I go back to office.

It will be done using regex syntax.

Regards

Oh I get your point now. Thanks for waking me up now. Even tough its not as flexible as a proper filtering solution (because since we are denying based on hostname, the user can simply open the URL by IP, open google's cache etc.):

policy-map type inspect http TEST_HTTP

parameters

match request uri regex cisco.com

.....

Something like this:

http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP

Regards

Farrukh

Hello,

Right it's something like that... you have a very good point with accessing directly with IP address in URL.

But you could filter by content-type and application header and aslo deny accessing with IP address in url.

http://www.cisco.com/warp/public/110/asa-8x-regex-config.html

However you're definitely right that it's not the finest way to filter.

Regards

rangaswamy.gb
Level 1
Level 1

url filtering possible in ASA using Cisco ASA 5500 Series Content Security Edition.

pls go thru this link.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e88.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: