I have a query for HTTP Outbound traffic .Is there is a way in ASA to allow outbound HTTP to a URL/URI instead of an IP address i.e to allow the URL / domain in the ACL.The reason being that outside server www.training,com has multiple IP Address which keeps on changing , hence the outbound ACLs object-group has to be modified accordingly to include the new IP Address every time .
I can see only 1 solution
1) Donot apply any ACL on inside interface for outbound traffic and restrict it with inspect http <L7 Policy map name> by specifying regex as www.training.com .Else i can still specify the outbound acl but on the basis of the first three octet i.e if the public ip of the server is 126.96.36.199 till 188.8.131.52 (consider that the IP addresses is always in this range) then i can specify the range 184.108.40.206/24 in the access-list destination traffic
and combine it again with inspect http <L7 Policy map name>
Please let me know if there is any other way to accomplish this.
thanks for the reply .I donot want to add new IP Address given by service provider in the object group everytime , hence as allowing URL cant be done in access-list , i have expanded the IP Address range as /24 so that i donot have to add it everytime in Outbound ACL
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...