11-15-2013 09:05 AM - edited 03-11-2019 08:05 PM
Hi all, I have a 5510 in route mode, when I add a regex to block 2 sites, it somehow blocks all sites, when I remove it it's back to normal, here's the regex code along with my other nat setting that gives inside users outside access. Thanks in advanced.
(regex entry to block sites)
regex domain1 "\.yahoo\.com"
regex domain2 "\.google\.com"
!
class-map type regex match-any domain-list
match regex domain1
match regex domain2
!
class-map web
match port tcp eq www
!
policy-map type inspect http URL
parameters
match not request header host regex class domain-list
drop-connection
!
policy-map global_policy
class web
inspect http URL
(nat outside access)
object network obj-LAN
subnet 0.0.0.0 0.0.0.0
object network obj-LAN
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 12.54.x.x 1
Solved! Go to Solution.
11-20-2013 11:40 PM
I am not sure why the TAC engineer said to use single entries. The only restriction is that you can not use the same static NATed port going from a single external IP to multiple internal IPs. you should be able to use object group to define the ports and assign it to a single ACL statement. I have done this several times.
Also from the post above, it looks like you are using ASA 9.1. In this case your ACL configuration is a little wrong. Prior to 8.3 you would use the public (NATed) IP when configuring and ACL on the outside interface. As of 8.3 and higher you will need to use the real IP (private IP) when configuring ACLs. This is due to the order in which actions are taken on the packet entering the ASA. 8.3 and higher, NAT happens before the ACL check when traffic enters the ASA.
Please add the following to your configuration just remember to add your server's actual IP, and if it is not already in the configuration, assign the ACL to the external interface where the traffic will ingress (often this is called the outside interface):
object-group service SERVICES tcp
port-object eq http
port-object eq https
port-object smtp
access-list MYACL extended permit tcp any host
access-group MYACL in interface outside
--
Please rate all helpful posts
12-05-2013 12:41 AM
Split DNS is for VPN users where you define specific URLs that are to be resolved over the VPN connection.
So you say you have an A record for the OWA URL? for example you have an entry for mail.company.com pointing to 208.x.x.3 or 208.x.x.12?
The issue you are facing is that your inside hosts are trying to connect to the OWA using the public address. So traffic is routed to the outside interface and then does a u-turn and comes back in. The ASA views this as spoofed / not allowed and drops the connection.
You will need to set up hairpinning and NAT from inside to inside.
object network MAIL-SERVER-EXTERNAL
host
object network MAIL-SERVER-INTERNAL
host
object network LAN
subnet 208.x.x.0 255.255.255.0
same-security-traffic permit intra-interface
nat (inside,inside) source static LAN LAN desitnation static MAIL-SERVER-EXTERNAL MAIL-SERVER-INTERNAL
--
Please remember to rate and select a correct answer
12-06-2013 11:07 AM
That warning comes due to the dynamic NAT statement you already have. If you are connected remotely, then I would suggest not applying this config at this time. It would be best to do this when onsite and have physical access to the ASA incase you lose connectivity. once you apply it, if traffic flow to the internet and to the all other resources are as expected then you can keep the configuration. If not then remove it, of course.
--
Please remember to rate and select a correct answer
12-06-2013 11:24 AM
Keep in mind that the configuration in that article is for ASA 8.2 and earlier. The same configuration will not work on your ASA running version 9.1
--
Please remember to rate and select a correct answer
12-06-2013 11:30 AM
It is quite deceiving, it should say 8.3 and onwards if it is refering to the new way of configuring NAT. The configuration you posted is pre 8.3.
https://supportforums.cisco.com/docs/DOC-9129
--
Please remember to rate and select a correct answer
11-15-2013 11:19 AM
Try using the match not keywords under the class map and then call that class map in the policy map
regex domain1 "\.yahoo\.com"
regex domain2 "\.google\.com"
class-map type regex match-any domain-list
match regex domain1
match regex domain2
class-map type inspect http match-all ALLOWED_URL_CLASS_MAP
match not request uri regex class domain-list
policy-map type inspect http URL
class ALLOWED_URL_CLASS_MAP
drop
11-15-2013 12:55 PM
Thanks for the reply Marius, I'll give this a try.
11-16-2013 12:36 PM
Hi Marius, it still allows access to ebay.com, and myspace.com, I had typos at first but I carefully followed your instructions and the commnands worked but was still allowing access to the 2 sites I wanted to block.
here' the current policy entries;
ASA Version 9.1(2)8
regex ebay "\ebay\.com"
regex myspace "\myspace\.com"
object network obj-LAN
subnet 0.0.0.0 0.0.0.0
class-map type regex match-any domain-list
match regex ebay
match regex myspace
class-map type inspect http match-all ALLOWED_URL_CLASS_MAP
match not request uri regex class domain-list
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http URL
parameters
class ALLOWED_URL_CLASS_MAP
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
Message was edited by: CARLO DOMINGUEZ
11-16-2013 01:13 PM
You need to not use the match not in this case. The match not means that it will allow access to ebay and myspace but will drop all others.
Sorry I was a bit fast in my copy past and did not change the policy map.
regex ebay "\ebay\.com"
regex myspace "\myspace\.com"
class-map type regex match-any domain-list
match regex ebay
match regex myspace
class-map type inspect http match-all ALLOWED_URL_CLASS_MAP
match request uri regex class domain-list
policy-map global_policy
class ALLOWED_URL_CLASS_MAP
drop-connection
By placing the class map under the global policy this will be applied to all interfaces
Please rate any helpful posts.
11-18-2013 09:20 AM
Hi Marius, I see so the match not command means to only allow what's on the domain-list, and then vice versa. And looks like it needs to also be put in the global policy group for it to take effect to all interfaces. I wasn't putting it in the global policy that's probably why I was having some issues when I first tried it, thanks I'll give it another try at the end of the day.
11-18-2013 05:26 PM
Hi Marius, I get this error when I add the class under the global policy, any ideas, thanks.
crxasa(config)# policy-map global_policy
crxasa(config-pmap)# class ALLOWED_URL_CLASS_MAP
ERROR: Specified class type is different from the policy-map type.
11-18-2013 11:58 PM
I forgot to add another policy map in the mix. The below configuration should work.
regex ebay "\ebay\.com"
regex myspace "\myspace\.com"
class-map type regex match-any domain-list
match regex ebay
match regex myspace
class-map type inspect http match-all ALLOWED_URL_CLASS_MAP
match request uri regex class domain-list
policy-map type inspect http HTTP_BLOCK_POLICY
parameters
class ALLOWED_URL_CLASS_MAP
drop-connection
policy-map global_policy
class inspection_default
inspect http HTTP_BLOCK_POLICY
11-19-2013 04:55 PM
Hi Marius, thanks for the reply, but somehow it won't work, it still allows ebay and myspace, here's my config of the policies.
regex ebay "\ebay\.com"
regex myspace "\myspace\.com"
!
class-map type regex match-any domain-list
match regex ebay
match regex myspace
class-map type inspect http match-all ALLOWED_URL_CLASS_MAP
match request uri regex class domain-list
class-map inspection_default
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http HTTP_BLOCK_POLICY
parameters
class ALLOWED_URL_CLASS_MAP
drop-connection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http HTTP_BLOCK_POLICY
!
service-policy global_policy global
11-19-2013 05:39 PM
Can you try this.
regex url1 "[e|E][b|B][a|A][y|Y]"
regex url2 "[g|G][o|O][o|O][g|G][l|L][e|E]"
!
class-map type inspect dns match-all web_url_policy
match domain-name regex url1
match domain-name regex url2
!
policy-map type inspect dns web_policy
class web_url_policy
drop
!
policy-map global_policy
class inspection_default
inspect dns web_policy
!
service-policy global_policy global
Please rate replies and mark question as "answered" if applicable.
11-20-2013 08:48 AM
Thanks for the reply rr, I'll try this if the other ones don't work.
11-19-2013 11:35 PM
edit the regex entries.
regex ebay "*\.ebay\.com"
regex myspace "\.myspace\.com"
If that doesn't match, then try using the * infront of the domain.
regex ebay "*ebay\.com"
regex myspace "*myspace\.com"
Configuration looks correct, we just need to find the correct match parameter.
--
Please rate all helpful posts.
11-20-2013 09:13 AM
I have another question on another command I seem to have trouble with, this is my first time hands on with ASA btw, so I'm just getting into the meat and potatoes of the asa just about over a month now.
I read that you can group together udp and tcp, so I did that with grouping smtp, http. https. and domain to a set of host objects, but email won't go through, I think http worked though but somehow smtp won't unless I seperate it on one line. Any ideas?
11-20-2013 10:11 AM
Could you post the group objects in question as well as the access list you are using them in. The following would is an example of how you would configure it.
object-group service SERVICES tcp
port-object eq http
port-object eq https
port-object smtp
access-list MYACL extended permit tcp host 10.10.10.1 any object-group SERVICES
--
Please rate all helpful posts
11-20-2013 10:37 AM
Marius, thanks for the reply, I'm using the command service-object instead of port-object, I got it from my asa 2nd ed book off a sample. I'll try port-object and see what happens, it'll save me some time having to type seperate lines of command for each host.
object-group service server-services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
access-list ACL_OUT_IN extended permit object-group server-services host 208.x.x.12 any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: