Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 8.2(1) Using hostnames in access-lists?

I need to allow a specifc hostname through my firewall. I found this article: https://supportforums.cisco.com/docs/DOC-17014

But it's only for 8.4 updated ASA's and above.

Doing more research, I found this article: http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm
And have been trying to reverse engineer it. Am I on the right track?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 5510 8.2(1) Using hostnames in access-lists?

Hello Adam,

Here is the configuration you need:

Access-list test permit tcp any any eq 80

Regex google  \.google\.com

policy-map type inspect http GOOGLE

parameters

match not request header host regex GOOGLE

  reset log

class-map TEST

match access-list test

policy-map global_policy

class TEST

inspect http GOOGLE

Regards

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
3 REPLIES

ASA 5510 8.2(1) Using hostnames in access-lists?

Hello Adam,

Well it's completely different.

On 8.4.2 you will be able to use FQDN on an ACL, the second option it's to use a deep packet inspection ( from layer 4 to 7) in order to match an HTTP request and drop the traffic as the example shown there.

If you want to use FQDN on ACL's then the only solution would be to upgrade to 8.4.2

If what you are looking for is a way to deny or allow traffic based on domain name then the layer 7 inspection should do it

Regards,

Julio

Rate all the helfpul posts!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA 5510 8.2(1) Using hostnames in access-lists?

Do you have a sample config of how I would set the layer 7 inspection up?

Thanks for responding quickly.

ASA 5510 8.2(1) Using hostnames in access-lists?

Hello Adam,

Here is the configuration you need:

Access-list test permit tcp any any eq 80

Regex google  \.google\.com

policy-map type inspect http GOOGLE

parameters

match not request header host regex GOOGLE

  reset log

class-map TEST

match access-list test

policy-map global_policy

class TEST

inspect http GOOGLE

Regards

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
1216
Views
0
Helpful
3
Replies
CreatePlease login to create content