Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3306
Views
0
Helpful
47
Replies

regex and grouping questions

Go to solution
Carlomd
Level 1
Level 1

‎11-15-2013 09:05 AM - edited ‎03-11-2019 08:05 PM

Hi all, I have a 5510 in route mode, when I add a regex to block 2 sites, it somehow blocks all sites, when I remove it it's back to normal, here's the regex code along with my other nat setting that gives inside users outside access. Thanks in advanced.

(regex entry to block sites)

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map type regex match-any domain-list

match regex domain1

match regex domain2

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

(nat outside access)

object network obj-LAN

subnet 0.0.0.0 0.0.0.0

object network obj-LAN

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 12.54.x.x 1

Labels:
0 Helpful
47 Replies 47

Go to solution
Marius Gunnerud
VIP
VIP
In response to Carlomd

‎11-20-2013 11:05 AM

Your configuration is setting www, https and smtp as the protocol...not the ports.  Change it to the following

access-list ACL_OUT_IN extended permit tcp host 208.x.x.12 any object-group server-services

Also remember that most PCs will send traffic using a random high port as the source port, so you almost always want to match the ports to the destination.

is 208.x.x.12 the actual IP of the server or the NATed IP?  Also keep in mind that if you want your users to be able to access https, www and smtp form the internet, these ports need to be opened on the outside interface.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Marius Gunnerud

‎11-20-2013 12:50 PM

The server is nat'ed to an outside ip, I have it set that way already for the access-list syntax, it didn't work. Test email didnt go through. Seems to only like single line entries for each host and service.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Carlomd

‎11-20-2013 01:23 PM

Ok, please explaine what you are trying to do more.  Is the 208.x.x.12 server inside your network or is it a server on the internet that you want to open for traffic coming in?

Have you tried the configuration that I posted earlier?

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp host 10.10.10.1 any object-group SERVICES

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Marius Gunnerud

‎11-20-2013 01:45 PM

Yes, 208.x.x.12 is inside, it's an Exchange server that also has IIS running for OWA, so I need to have smtp, http, and https access incoming, I also have a terminal server, and others but that will have to wait.

  I'm just trying to get the basics running like web and email and blocking sites, It worked by using the command below but seems to have issues with grouping, the TAC engineer I was talking to said to use single entries but he wouldn't say why grouping won't work.


 access-list ACL_OUT_IN line 1 permit tcp any host 208.x.x.12 eq www
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Carlomd

‎11-20-2013 11:40 PM

I am not sure why the TAC engineer said to use single entries.  The only restriction is that you can not use the same static NATed port going from a single external IP to multiple internal IPs.  you should be able to use object group to define the ports and assign it to a single ACL statement.  I have done this several times.

Also from the post above, it looks like you are using ASA 9.1.  In this case your ACL configuration is a little wrong.  Prior to 8.3 you would use the public (NATed) IP when configuring and ACL on the outside interface.  As of 8.3 and higher you will need to use the real IP (private IP) when configuring ACLs.  This is due to the order in which actions are taken on the packet entering the ASA.  8.3 and higher, NAT happens before the ACL check when traffic enters the ASA.

Please add the following to your configuration just remember to add your server's actual IP, and if it is not already in the configuration, assign the ACL to the external interface where the traffic will ingress (often this is called the outside interface):

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp any host object-group SERVICES

access-group MYACL in interface outside

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Marius Gunnerud

‎11-21-2013 09:28 AM

Marius, I do have the internal ip used in that access-list, but I caught my mistake of not putting any for the source, I had it switched below

access-list ACL_OUT extended permit tcp host 208.x.x.12(this is an internal ip) any object-group SERVER-PORTS = wrong syntax

access-list ACL_OUT extended permit tcp any host 208.x.x.12 object-group SERVER-PORTS = correct syntax

Message was edited by: CARLO DOMINGUEZ

0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Marius Gunnerud

‎11-20-2013 01:55 PM

You know what I think I just need reading glasses, I missed the dot before ebay, I only had a dot on .com, let me try again this time with "\.ebay\.com\"

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Carlomd

‎11-21-2013 10:49 AM

Ok, Let us know how it goes with both the ACL and the URL filter

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Marius Gunnerud

‎11-22-2013 05:18 PM

Hi guys, looks like I'm getting clear now on the access lists and groups, but I have a question on pinging, we're able to ping outside ip or sites with our current firewall, but even after I enabled inspect icmp on the asa, I can only ping from the asa within ssh, but not from any pc inside.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Carlomd

‎11-23-2013 07:16 AM

Do you have an ACL configured on the inside interface? If yes, have you allowed imp in this ACL?

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Marius Gunnerud

‎11-23-2013 11:14 AM

Marius,

I see, I thought the inspect icmp command under global policy does that, ok I'll set it to groups that need it. Another question that I can't seem to figure out, we're running OWA on our Exchange server, inside and outside clients can't get to it still.

I have https and http set on the nat'ed email servers, though on the juniper it has a setting for IIS that you can select to add on the policy, this is besides http and https. I don't see a setting for those in the ASA, Thanks again.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Carlomd

‎11-23-2013 11:43 AM

The thing is that if there is an ACL configured on the interface it is still checked even if there is an inspect configured.  If you do not have any ACL configured on the interface then the inspect policy will be the thing that permits or denies traffic from an interface that has a higher security level to a lower security level.

As for the email servers, could you post your NAT statements for the email server as well as the ACL for the inside and outside interfaces.  To get OWA working you need to NAT both https and smtp.  Also make sure that https and smtp are allowed in the access list from inside to outside, as well as from outside to inside.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Marius Gunnerud

‎11-23-2013 01:06 PM

ok gotcha, I don't have an outgoing access-list for smtp and http, I'll have to add those, I'll get back to this on Mon, thanks Marius.

carlo

0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Marius Gunnerud

‎11-26-2013 11:58 AM

Marius,

Here's my current config for access-list and object-groups, I tested it just now seems like I have some issues to iron out, so far the only things that worked are access incoming to the OWA site, websites, and email, but somehow port 3389 for remote desktop didn't, my remote office said they got disconnected, I told them to try again, but it won't re-converge, or reconnect. Also from inside to my OWA server didn't work either, Any ideas, thanks in advanced.

crxasa# sh run access-li
access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER
access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389
access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP
access-list ACL_OUT extended permit udp any object-group MAILSERVERS object-group UDP
access-list ACL_IN extended permit tcp object-group MAILSERVERS object-group TCP any
access-list ACL_IN extended permit udp object-group MAILSERVERS object-group UDP any
crxasa# sh run access-gro
access-group ACL_OUT in interface outside
access-group ACL_IN out interface inside
crxasa# sh run obj
object network obj-LAN
subnet 0.0.0.0 0.0.0.0
object network cirexxintldc
host 208.x.x.12
object network sharks
host 208.x.x.5
object network cirexxintl
host 208.x.x.85
object network crxmail
host 208.x.x.3
object network svr-sales
host 208.x.x.94

crxasa# sh run object-gr
object-group service TCP tcp
description domain,http,smtp services
port-object eq www
port-object eq https
port-object eq domain
port-object eq smtp
object-group service WEBSERVER tcp
description ftp,http,https services
port-object eq www
port-object eq https
port-object eq ftp
object-group network MAILSERVERS
network-object host 208.x.x.12
network-object host 208.x.x.3
object-group network DNS-SERVERS
network-object host 208.x.x.12
network-object host 208.x.x.5
object-group service UDP udp
port-object eq domain
port-object eq www

0 Helpful

Go to solution
Carlomd
Level 1
Level 1
In response to Carlomd

‎11-23-2013 01:01 PM

Here you go, I created a seperate tcp and ucp object group and added those to my email servers, group called mailservers. On the icmp thing, I didn't have an acl for any inside clients but servers only, so shouldn't the global rule for inspect icmp work then?

crxasa# sh run nat

!

object network obj-LAN

nat (inside,outside) dynamic interface

object network cirexxintldc

nat (inside,outside) static 12.x.x.35

object network sharks

nat (inside,outside) static 12.x.x.37

object network cirexxintl

nat (inside,outside) static 12.x.x.36

object network crxmail

nat (inside,outside) static 12.x.x.43

object network svr-sales

nat (inside,outside) static 12.x.x.49

crxasa# sh run access-li

access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER

access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389

access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP

access-list ACL_OUT extended permit udp any object-group MAILSERVERS object-group UDP

access-list ACL_IN extended permit udp object-group DNS-SERVERS any eq domain

access-list ACL_IN extended permit tcp object-group DNS-SERVERS any eq domain

crxasa# sh run access-gr
access-group ACL_OUT in interface outside
access-group ACL_IN out interface inside

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card