Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8958
Views
0
Helpful
3
Replies

Cisco ASA - FQDN Firewall rule

Go to solution
pivetta066203
Level 1
Level 1

‎09-17-2014 01:06 PM - edited ‎03-11-2019 09:46 PM

Hi,

I need create a new firewall rule using a regex. I looking for this in all Cisco documentation but I do not found nothing about it.  Can Cisco ASA support this kind of firewall rule ?

 

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to pivetta066203

‎09-18-2014 12:32 AM

To only allow the domain google.com you would do something like the following:

access-list TRAFFIC extended permit tcp any any eq www

regex DOMAIN1 "\.google\.com"

class-map type regex match-any DOMAIN-LIST
 match regex DOMAIN1

class-map type inspect http match-all URL
 match not request uri regex class DOMAIN-LIST

class-map WEB-TRAFFIC
 match access-list TRAFFIC

policy-map type inspect http HTTP-POLICY
 class URL
  drop-connection

policy-map inside_policy
 class WEB-TRAFFIC
  inspect http HTTP-POLICY

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎09-17-2014 02:26 PM

Are you talking about using a FQDN in an access list like the following (this requires the ASA to be configured with DNS servers)?

name-server 192.168.1.1 192.168.1.2

object network URL
  fqdn my.company.com

access-list TEST permit ip any object URL

access-group TEST in interface inside

or

Are you looking to use the modular policy framework (MPF) to match on URL strings?

This link explains this fairly well:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
pivetta066203
Level 1
Level 1
In response to Marius Gunnerud

‎09-17-2014 02:52 PM

I need allow by Firewall rule one regular expression like this  *.google.com.  I think it is very simple in proxies.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to pivetta066203

‎09-18-2014 12:32 AM

To only allow the domain google.com you would do something like the following:

access-list TRAFFIC extended permit tcp any any eq www

regex DOMAIN1 "\.google\.com"

class-map type regex match-any DOMAIN-LIST
 match regex DOMAIN1

class-map type inspect http match-all URL
 match not request uri regex class DOMAIN-LIST

class-map WEB-TRAFFIC
 match access-list TRAFFIC

policy-map type inspect http HTTP-POLICY
 class URL
  drop-connection

policy-map inside_policy
 class WEB-TRAFFIC
  inspect http HTTP-POLICY

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card