Allow a URL through ASA using MPF

Answered Question
Sep 13th, 2010

Dear All,


I need to be able to allow access from a host in my internal network, 192.168.116.33 to gmail.com on TCP port 533.

The traffic is actually http but different port is used.

Is it possible to do this using MPF?

All other traffic should remain unaffected.


Regards,


A.

Correct Answer by Panos Kampanakis about 6 years 5 months ago


You are right. My tongue slipped when I said it is for all port 533. It is for source that ip to that port.


The interface ACL is still needed to allow what you need to allow in general on a per packet basis.


I hope it makes sense.

If it solves the issue please mark the question as answered so that other can benefit in the future from it.


PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ahassiotis1 Mon, 09/13/2010 - 09:02

Hi Pano,


I've come accross your post.

The difference in my case is the TCP port, it's not 80 but 533. Do I just replace eq www with eq 533 in the user-acl?

I guess I also need a 'match not'.

Finally, do I need to configure my inside_access_in access-list to allow traffic as shown below? Or is this not necessary?



Here is how I am thinking it should be:


regex domainlist1 "\.google\.com"


access-list inside_access_in permit tcp host 192.168.233.119 any eq 533
access-list inside_url_filter extended permit tcp host 192.168.233.119 any eq 533


class-map type regex match-any DomainAllowList
match regex domainlist1


class-map type inspect http match-all AllowDomainsClass
match not request header host regex class DomainAllowList


class-map httptraffic
match access-list inside_url_filter


policy-map type inspect http http_inspection_policy
  class AllowDomainsClass
    drop-connection log


policy-map inside-policy
class httptraffic
  inspect http http_inspection_policy


service-policy inside-policy interface inside


Regards,


A.

Panos Kampanakis Mon, 09/13/2010 - 11:29


The difference in my case is the TCP port, it's not 80 but 533. Do I just replace eq www with eq 533 in the user-acl?


Yes, that is correct.



regex domainlist1 "\.google\.com"


access-list inside_access_in permit tcp host 192.168.233.119 any eq 533
access-list inside_url_filter extended permit tcp host 192.168.233.119 any eq 533


class-map type regex match-any DomainAllowList
match regex domainlist1


class-map type inspect http match-all AllowDomainsClass
match not request header host regex class DomainAllowList


class-map httptraffic
match access-list inside_url_filter


policy-map type inspect http http_inspection_policy
  class AllowDomainsClass
    drop-connection log


policy-map inside-policy
class httptraffic
  inspect http http_inspection_policy


service-policy inside-policy interface inside


This config only allow users using port 533 to browse to google.com only. If that is what you want to do, this is config will work.


Please rate the answer if it solves your issue, so that future users can benefit from this thread.


Kalo xeimwna...


PK

ahassiotis1 Tue, 09/14/2010 - 03:10

Doesn't this config act on source IP 192.168.233.119 and destination port 533 only?

I would have thought all other souce users don't get inspected from this MFP config.


Also, I guess I still need the inside_access_in access list, right?

Correct Answer
Panos Kampanakis Tue, 09/14/2010 - 05:56


You are right. My tongue slipped when I said it is for all port 533. It is for source that ip to that port.


The interface ACL is still needed to allow what you need to allow in general on a per packet basis.


I hope it makes sense.

If it solves the issue please mark the question as answered so that other can benefit in the future from it.


PK

Actions

This Discussion

Related Content