Solved: regex and grouping questions

Carlomd · ‎11-15-2013

Hi all, I have a 5510 in route mode, when I add a regex to block 2 sites, it somehow blocks all sites, when I remove it it's back to normal, here's the regex code along with my other nat setting that gives inside users outside access. Thanks in advanced.

(regex entry to block sites)

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map type regex match-any domain-list

match regex domain1

match regex domain2

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

(nat outside access)

object network obj-LAN

subnet 0.0.0.0 0.0.0.0

object network obj-LAN

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 12.54.x.x 1

Marius Gunnerud · ‎11-20-2013

I am not sure why the TAC engineer said to use single entries. The only restriction is that you can not use the same static NATed port going from a single external IP to multiple internal IPs. you should be able to use object group to define the ports and assign it to a single ACL statement. I have done this several times.

Also from the post above, it looks like you are using ASA 9.1. In this case your ACL configuration is a little wrong. Prior to 8.3 you would use the public (NATed) IP when configuring and ACL on the outside interface. As of 8.3 and higher you will need to use the real IP (private IP) when configuring ACLs. This is due to the order in which actions are taken on the packet entering the ASA. 8.3 and higher, NAT happens before the ACL check when traffic enters the ASA.

Please add the following to your configuration just remember to add your server's actual IP, and if it is not already in the configuration, assign the ACL to the external interface where the traffic will ingress (often this is called the outside interface):

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp any host object-group SERVICES

access-group MYACL in interface outside

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-05-2013

Split DNS is for VPN users where you define specific URLs that are to be resolved over the VPN connection.

So you say you have an A record for the OWA URL? for example you have an entry for mail.company.com pointing to 208.x.x.3 or 208.x.x.12?

The issue you are facing is that your inside hosts are trying to connect to the OWA using the public address. So traffic is routed to the outside interface and then does a u-turn and comes back in. The ASA views this as spoofed / not allowed and drops the connection.

You will need to set up hairpinning and NAT from inside to inside.

object network MAIL-SERVER-EXTERNAL

host

object network MAIL-SERVER-INTERNAL

host

object network LAN

subnet 208.x.x.0 255.255.255.0

same-security-traffic permit intra-interface

nat (inside,inside) source static LAN LAN desitnation static MAIL-SERVER-EXTERNAL MAIL-SERVER-INTERNAL

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-06-2013

That warning comes due to the dynamic NAT statement you already have. If you are connected remotely, then I would suggest not applying this config at this time. It would be best to do this when onsite and have physical access to the ASA incase you lose connectivity. once you apply it, if traffic flow to the internet and to the all other resources are as expected then you can keep the configuration. If not then remove it, of course.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-06-2013

Keep in mind that the configuration in that article is for ASA 8.2 and earlier. The same configuration will not work on your ASA running version 9.1

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-06-2013

It is quite deceiving, it should say 8.3 and onwards if it is refering to the new way of configuring NAT. The configuration you posted is pre 8.3.

https://supportforums.cisco.com/docs/DOC-9129

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎11-15-2013

Try using the match not keywords under the class map and then call that class map in the policy map

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

class-map type regex match-any domain-list

match regex domain1

match regex domain2

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match not request uri regex class domain-list

policy-map type inspect http URL

class ALLOWED_URL_CLASS_MAP

drop

--
Please remember to select a correct answer and rate helpful posts

Carlomd · ‎11-15-2013

Thanks for the reply Marius, I'll give this a try.

Carlomd · ‎11-16-2013

Hi Marius, it still allows access to ebay.com, and myspace.com, I had typos at first but I carefully followed your instructions and the commnands worked but was still allowing access to the 2 sites I wanted to block.

here' the current policy entries;

ASA Version 9.1(2)8

regex ebay "\ebay\.com"
regex myspace "\myspace\.com"

object network obj-LAN
subnet 0.0.0.0 0.0.0.0

class-map type regex match-any domain-list
match regex ebay
match regex myspace
class-map type inspect http match-all ALLOWED_URL_CLASS_MAP
match not request uri regex class domain-list
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http URL
parameters
class ALLOWED_URL_CLASS_MAP
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global

Message was edited by: CARLO DOMINGUEZ

Marius Gunnerud · ‎11-16-2013

You need to not use the match not in this case. The match not means that it will allow access to ebay and myspace but will drop all others.

Sorry I was a bit fast in my copy past and did not change the policy map.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

policy-map global_policy

class ALLOWED_URL_CLASS_MAP

drop-connection

By placing the class map under the global policy this will be applied to all interfaces

Please rate any helpful posts.

--
Please remember to select a correct answer and rate helpful posts

Carlomd · ‎11-18-2013

Hi Marius, I see so the match not command means to only allow what's on the domain-list, and then vice versa. And looks like it needs to also be put in the global policy group for it to take effect to all interfaces. I wasn't putting it in the global policy that's probably why I was having some issues when I first tried it, thanks I'll give it another try at the end of the day.

Carlomd · ‎11-18-2013

Hi Marius, I get this error when I add the class under the global policy, any ideas, thanks.

crxasa(config)# policy-map global_policy

crxasa(config-pmap)# class ALLOWED_URL_CLASS_MAP

ERROR: Specified class type is different from the policy-map type.

Marius Gunnerud · ‎11-18-2013

I forgot to add another policy map in the mix. The below configuration should work.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

policy-map type inspect http HTTP_BLOCK_POLICY

parameters

class ALLOWED_URL_CLASS_MAP

drop-connection

policy-map global_policy

class inspection_default

inspect http HTTP_BLOCK_POLICY

--
Please remember to select a correct answer and rate helpful posts

Carlomd · ‎11-19-2013

Hi Marius, thanks for the reply, but somehow it won't work, it still allows ebay and myspace, here's my config of the policies.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

!

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

class-map inspection_default

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http HTTP_BLOCK_POLICY

parameters

class ALLOWED_URL_CLASS_MAP

drop-connection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect http HTTP_BLOCK_POLICY

!

service-policy global_policy global

Rejohn Cuares · ‎11-19-2013

Can you try this.

regex url1 "[e|E][b|B][a|A][y|Y]"

regex url2 "[g|G][o|O][o|O][g|G][l|L][e|E]"

!

class-map type inspect dns match-all web_url_policy

match domain-name regex url1

match domain-name regex url2

!

policy-map type inspect dns web_policy

class web_url_policy

drop

!

policy-map global_policy

class inspection_default

inspect dns web_policy

!

service-policy global_policy global

Please rate replies and mark question as "answered" if applicable.

Carlomd · ‎11-20-2013

Thanks for the reply rr, I'll try this if the other ones don't work.

Marius Gunnerud · ‎11-19-2013

edit the regex entries.

regex ebay "*\.ebay\.com"

regex myspace "\.myspace\.com"

If that doesn't match, then try using the * infront of the domain.

regex ebay "*ebay\.com"

regex myspace "*myspace\.com"

Configuration looks correct, we just need to find the correct match parameter.

--

Please rate all helpful posts.

--
Please remember to select a correct answer and rate helpful posts

Carlomd · ‎11-20-2013

I have another question on another command I seem to have trouble with, this is my first time hands on with ASA btw, so I'm just getting into the meat and potatoes of the asa just about over a month now.

I read that you can group together udp and tcp, so I did that with grouping smtp, http. https. and domain to a set of host objects, but email won't go through, I think http worked though but somehow smtp won't unless I seperate it on one line. Any ideas?

Marius Gunnerud · ‎11-20-2013

Could you post the group objects in question as well as the access list you are using them in. The following would is an example of how you would configure it.

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp host 10.10.10.1 any object-group SERVICES

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

Carlomd · ‎11-20-2013

Marius, thanks for the reply, I'm using the command service-object instead of port-object, I got it from my asa 2nd ed book off a sample. I'll try port-object and see what happens, it'll save me some time having to type seperate lines of command for each host.

object-group service server-services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

access-list ACL_OUT_IN extended permit object-group server-services host 208.x.x.12 any