06-19-2008 05:07 AM - edited 03-11-2019 06:01 AM
How do I create an ACL that would only allow specific sites to go through if I didn't know the IP and only know the DNS name. Say I want to allow only these two sites *.cisco.com and *.yahoo.com then block all others. Can I do that?
This is on an ASA 5510.
Solved! Go to Solution.
06-19-2008 05:33 AM
06-19-2008 05:33 AM
AFAIK this is not supported on the ASA/PIX.
Regards
Farrukh
06-19-2008 06:22 AM
Hello,
Modular policy framework allow you to do that.
Please check the document below at the section HTTP inspection policy map
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf
Regards
06-19-2008 08:42 AM
amadoutoure, how does MPF achive that? Can you expand upon your comment.
How will MPF keep track of the DNS entry of cisco.com (which say changes frequently).
Ever did a nslookup on google.com (you get multiple IPs)?
We do this on one of our Customer's Netscreen ISG tough, it supports this.
Regards
Farrukh
06-19-2008 09:04 AM
Hello,
I'm out of office for now and I'll send a sample config as soon as I go back to office.
It will be done using regex syntax.
Regards
06-19-2008 09:19 AM
Oh I get your point now. Thanks for waking me up now. Even tough its not as flexible as a proper filtering solution (because since we are denying based on hostname, the user can simply open the URL by IP, open google's cache etc.):
policy-map type inspect http TEST_HTTP
parameters
match request uri regex cisco.com
.....
Something like this:
Regards
Farrukh
06-19-2008 09:41 AM
Hello,
Right it's something like that... you have a very good point with accessing directly with IP address in URL.
But you could filter by content-type and application header and aslo deny accessing with IP address in url.
http://www.cisco.com/warp/public/110/asa-8x-regex-config.html
However you're definitely right that it's not the finest way to filter.
Regards
06-19-2008 06:20 AM
url filtering possible in ASA using Cisco ASA 5500 Series Content Security Edition.
pls go thru this link.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: