cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4296
Views
0
Helpful
17
Replies

ALLOW ONLY SPECIFIC HTTPS AND HTTP URL TO THE ASA.

ericohermoso
Level 1
Level 1

Hello,

I successfully configured my firewall to allow only specific http site. like www.sample.com only using MPF. Now I also want to allow https://sample.com. Please How can i configure my firewall to satisfy this condition.

thank you

17 Replies 17

Kureli Sankar
Cisco Employee
Cisco Employee

Unfortunately that is not possible. http inspection can only inspect port 80 traffic. https is port 443 and the packet will be encrypted. If you know the

address of this website you may be able to allow it via ACL applied on the interface and deny others.

-KS

Hello,

thanks for the reply. I already configured MPF to allow specific http site and apply the rule globally. As you've said I should use ACL to permit the ip address of that https site and deny others. Should I remove the MPF configuration? or I will just add the ACL configuration on the outside interface.

thank you

You can leave the MPF alone or remove that and allow both http as well as https via the ACL provided you know all the IP addresses of the web site.

Is this outbound flow or inbound flow? The reason I ask is because you mentioned allowing permission on the ACL applied on the outside.

-KS

Hello,

I planned not to remove the MPF and only add https configuration allowing only specific https site. HTTPS site is located outside the firewall, let's say it is located in another country. So the inside user is allowed only to access one https site located outside the firewall or located in other country,example (https://mail.sample.com).

thank you

That is what I thought. Ok in this case you need to allow http traffic to this specific site via the ACL applied on the inside interface. You may leave the http as MPF.

So your inside ACL will look like this

access-l inside-acl permit tcp any any eq 80

access-l inside-acl permit tcp any host x.x.x.x eq 443

... allow the rest of the traffic that needs to be allowed from inside to out or it will be denied.

-KS

Hello,

I will check this configuration tomorrow.

thank you and best regards

hello i CONFIGURED THE ACCESS LIST and sometimes working and sometimes not working , i wonder, i already remove the MPF and use the ip address but after a few a minute we loose a connection. what suppose is the problem?

I am not sure what your acl looks like. Are you blocking http and https destined to specific IP addresses? If so in the working

case it may be trying to reach and IP address that is not in the deny acl that you have implemented.

ACL either blocks or allows. It doesn't sometimes allow and sometimes block unless you have time range configured.

-KS

Hello,

My configuratio looks like this..

access-list INS_IN  permit tcp any host 20.133.0.29 eq https
access-list INS_IN  permit tcp any host 213.216.145.178 eq www
access-list INS_IN line 3 extended permit udp any any eq isakmp
access-list INS_IN line 4 extended permit udp any any eq 4500 
access-list INS_IN line 5 extended permit esp any any

access-group INS_IN in interface inside

I just need to access two sites.

It was working after i put the configuration. after a while I loose connections. I am doing it now and I don't know why it goes like this.

Are these all the lines in your ACL?

I do not see line numbers for the first two.

Did you do a "sh access-l INS_IN" and copy and paste the output? Doesn't look like it.

If this access-list is allowing other http and https sites then you need to look at the logs.

conf t

loggin on

loggin buffered 7

sh logg | i x.x.x.x

where x.x.x.x is the iP address of a host that is being allowed to go to other IP address besides the two that are configured.

-KS

Hello thanks for the prompt reply.

access-list INS_IN extended permit tcp any host 20.133.0.29 eq https
access-list INS_IN extended permit tcp any host 213.216.145.178 eq www

access-group INS_IN in interface inside

Here is the output

sh access-list

access-list INS_IN line 1 extended permit tcp any host 20.133.0.29 eq https (hitcnt=38) 0x016c500a
access-list INS_IN line 2 extended permit tcp any host 213.216.145.178 eq www (hitcnt=18) 0x64318a14

Now it is working fine.

But I am afraid that if I add another access list for allowing vpn form the inside users :

access-list INS_IN line 3 extended permit udp any any eq isakmp
access-list INS_IN line 4 extended permit udp any any eq 4500 
access-list INS_IN line 5 extended permit esp any any

I may loose connections again.

Here is the log:

ASA(config)# sh log | i 192.168.3.3
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/56216 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/56216 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/56216 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/56216 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]

thank you and best regards

DNS resolution is failing. Pls. allow that.

access-list INS_IN permit udp any any eq 53

-KS

What version of code are you running on the ASA.

May be you are hitting this defect:

CSCsx75440    ACL - Implicit deny ip any any ACE may not work as expected - resolved in 8.0.4(5)

Symptom:

Implicit deny any any may not work as expected. Traffic that is not permitted via the acl may be permitted even though the access-list may be applied on the higher security interface.

Conditions:

This was first observed in an ASA running 8.0.4(3)

Workaround:

1. Remove the access-group line applied on the interface and re-apply it.

example:
no access-group acl-inside in interface inside
access-group acl-inside in interface inside

or

2. add an explicit deny ip any any line in the bottom of the acl applied on that interface

After you add the lines for vpn add a explicit deny ip any any on the very bottom. That should do it.

-KS


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: