Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow a URL through ASA using MPF

Dear All,

I need to be able to allow access from a host in my internal network, 192.168.116.33 to gmail.com on TCP port 533.

The traffic is actually http but different port is used.

Is it possible to do this using MPF?

All other traffic should remain unaffected.

Regards,

A.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Allow a URL through ASA using MPF

You are right. My tongue slipped when I said it is for all port 533. It is for source that ip to that port.

The interface ACL is still needed to allow what you need to allow in general on a per packet basis.

I hope it makes sense.

If it solves the issue please mark the question as answered so that other can benefit in the future from it.

PK

5 REPLIES
Cisco Employee

Re: Allow a URL through ASA using MPF

Yes, it can be done.

But do you want to block all other http traffic on that port?

https://supportforums.cisco.com/docs/DOC-1268 has all the possible scenarios you might need to implement.

I hope it helps.

PK

New Member

Re: Allow a URL through ASA using MPF

Hi Pano,

I've come accross your post.

The difference in my case is the TCP port, it's not 80 but 533. Do I just replace eq www with eq 533 in the user-acl?

I guess I also need a 'match not'.

Finally, do I need to configure my inside_access_in access-list to allow traffic as shown below? Or is this not necessary?

Here is how I am thinking it should be:

regex domainlist1 "\.google\.com"

access-list inside_access_in permit tcp host 192.168.233.119 any eq 533
access-list inside_url_filter extended permit tcp host 192.168.233.119 any eq 533

class-map type regex match-any DomainAllowList
match regex domainlist1


class-map type inspect http match-all AllowDomainsClass
match not request header host regex class DomainAllowList

class-map httptraffic
match access-list inside_url_filter

policy-map type inspect http http_inspection_policy
  class AllowDomainsClass
    drop-connection log


policy-map inside-policy
class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

Regards,

A.

Cisco Employee

Re: Allow a URL through ASA using MPF

The difference in my case is the TCP port, it's not 80 but 533. Do I just replace eq www with eq 533 in the user-acl?

Yes, that is correct.

regex domainlist1 "\.google\.com"

access-list inside_access_in permit tcp host 192.168.233.119 any eq 533
access-list inside_url_filter extended permit tcp host 192.168.233.119 any eq 533

class-map type regex match-any DomainAllowList
match regex domainlist1


class-map type inspect http match-all AllowDomainsClass
match not request header host regex class DomainAllowList

class-map httptraffic
match access-list inside_url_filter

policy-map type inspect http http_inspection_policy
  class AllowDomainsClass
    drop-connection log


policy-map inside-policy
class httptraffic
  inspect http http_inspection_policy

service-policy inside-policy interface inside

This config only allow users using port 533 to browse to google.com only. If that is what you want to do, this is config will work.

Please rate the answer if it solves your issue, so that future users can benefit from this thread.

Kalo xeimwna...

PK

New Member

Re: Allow a URL through ASA using MPF

Doesn't this config act on source IP 192.168.233.119 and destination port 533 only?

I would have thought all other souce users don't get inspected from this MFP config.

Also, I guess I still need the inside_access_in access list, right?

Cisco Employee

Re: Allow a URL through ASA using MPF

You are right. My tongue slipped when I said it is for all port 533. It is for source that ip to that port.

The interface ACL is still needed to allow what you need to allow in general on a per packet basis.

I hope it makes sense.

If it solves the issue please mark the question as answered so that other can benefit in the future from it.

PK

586
Views
0
Helpful
5
Replies