Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL question

How do I create an ACL that would only allow specific sites to go through if I didn't know the IP and only know the DNS name. Say I want to allow only these two sites *.cisco.com and *.yahoo.com then block all others. Can I do that?

This is on an ASA 5510.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL question

AFAIK this is not supported on the ASA/PIX.

Regards

Farrukh

7 REPLIES

Re: ACL question

AFAIK this is not supported on the ASA/PIX.

Regards

Farrukh

New Member

Re: ACL question

Hello,

Modular policy framework allow you to do that.

Please check the document below at the section HTTP inspection policy map

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf

Regards

Re: ACL question

amadoutoure, how does MPF achive that? Can you expand upon your comment.

How will MPF keep track of the DNS entry of cisco.com (which say changes frequently).

Ever did a nslookup on google.com (you get multiple IPs)?

We do this on one of our Customer's Netscreen ISG tough, it supports this.

Regards

Farrukh

New Member

Re: ACL question

Hello,

I'm out of office for now and I'll send a sample config as soon as I go back to office.

It will be done using regex syntax.

Regards

Re: ACL question

Oh I get your point now. Thanks for waking me up now. Even tough its not as flexible as a proper filtering solution (because since we are denying based on hostname, the user can simply open the URL by IP, open google's cache etc.):

policy-map type inspect http TEST_HTTP

parameters

match request uri regex cisco.com

.....

Something like this:

http://www.internetworkpro.org/wiki/ASA_and_PIX_using_http_inspection_to_filter_URLs_and_Hosts_in_HTTP

Regards

Farrukh

New Member

Re: ACL question

Hello,

Right it's something like that... you have a very good point with accessing directly with IP address in URL.

But you could filter by content-type and application header and aslo deny accessing with IP address in url.

http://www.cisco.com/warp/public/110/asa-8x-regex-config.html

However you're definitely right that it's not the finest way to filter.

Regards

New Member

Re: ACL question

url filtering possible in ASA using Cisco ASA 5500 Series Content Security Edition.

pls go thru this link.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e88.html

112
Views
0
Helpful
7
Replies