Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA - FQDN Firewall rule

Hi,

I need create a new firewall rule using a regex. I looking for this in all Cisco documentation but I do not found nothing about it.  Can Cisco ASA support this kind of firewall rule ?

 

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

To only allow the domain

To only allow the domain google.com you would do something like the following:

access-list TRAFFIC extended permit tcp any any eq www

regex DOMAIN1 "\.google\.com"

class-map type regex match-any DOMAIN-LIST
 match regex DOMAIN1

class-map type inspect http match-all URL
 match not request uri regex class DOMAIN-LIST

class-map WEB-TRAFFIC
 match access-list TRAFFIC

policy-map type inspect http HTTP-POLICY
 class URL
  drop-connection

policy-map inside_policy
 class WEB-TRAFFIC
  inspect http HTTP-POLICY

--

Please remember to select a correct answer and rate helpful posts

 

--

Please remember to rate and select a correct answer
3 REPLIES
VIP Green

Are you talking about using a

Are you talking about using a FQDN in an access list like the following (this requires the ASA to be configured with DNS servers)?

name-server 192.168.1.1 192.168.1.2

object network URL
  fqdn my.company.com

access-list TEST permit ip any object URL

access-group TEST in interface inside

or

Are you looking to use the modular policy framework (MPF) to match on URL strings?

This link explains this fairly well:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

I need allow by Firewall rule

I need allow by Firewall rule one regular expression like this  *.google.com.  I think it is very simple in proxies.

VIP Green

To only allow the domain

To only allow the domain google.com you would do something like the following:

access-list TRAFFIC extended permit tcp any any eq www

regex DOMAIN1 "\.google\.com"

class-map type regex match-any DOMAIN-LIST
 match regex DOMAIN1

class-map type inspect http match-all URL
 match not request uri regex class DOMAIN-LIST

class-map WEB-TRAFFIC
 match access-list TRAFFIC

policy-map type inspect http HTTP-POLICY
 class URL
  drop-connection

policy-map inside_policy
 class WEB-TRAFFIC
  inspect http HTTP-POLICY

--

Please remember to select a correct answer and rate helpful posts

 

--

Please remember to rate and select a correct answer
664
Views
0
Helpful
3
Replies
CreatePlease login to create content