Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

regex and grouping questions

Hi all, I have a 5510 in route mode, when I add a regex to block 2 sites, it somehow blocks all sites, when I remove it it's back to normal, here's the regex code along with my other nat setting that gives inside users outside access. Thanks in advanced.

(regex entry to block sites)

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

!

class-map type regex match-any domain-list

match regex domain1

match regex domain2

!

class-map web

match port tcp eq www

!

policy-map type inspect http URL

parameters

match not request header host regex class domain-list

drop-connection

!

policy-map global_policy

class web

inspect http URL

(nat outside access)

object network obj-LAN

subnet 0.0.0.0 0.0.0.0

object network obj-LAN

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 12.54.x.x 1

5 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Green

Re: regex blocking all sites

I am not sure why the TAC engineer said to use single entries.  The only restriction is that you can not use the same static NATed port going from a single external IP to multiple internal IPs.  you should be able to use object group to define the ports and assign it to a single ACL statement.  I have done this several times.

Also from the post above, it looks like you are using ASA 9.1.  In this case your ACL configuration is a little wrong.  Prior to 8.3 you would use the public (NATed) IP when configuring and ACL on the outside interface.  As of 8.3 and higher you will need to use the real IP (private IP) when configuring ACLs.  This is due to the order in which actions are taken on the packet entering the ASA.  8.3 and higher, NAT happens before the ACL check when traffic enters the ASA.

Please add the following to your configuration just remember to add your server's actual IP, and if it is not already in the configuration, assign the ACL to the external interface where the traffic will ingress (often this is called the outside interface):

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp any host object-group SERVICES

access-group MYACL in interface outside

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
VIP Green

Re: regex blocking all sites

Split DNS is for VPN users where you define specific URLs that are to be resolved over the VPN connection.

So you say you have an A record for the OWA URL? for example you have an entry for mail.company.com pointing to 208.x.x.3 or 208.x.x.12?

The issue you are facing is that your inside hosts are trying to connect to the OWA using the public address.  So traffic is routed to the outside interface and then does a u-turn and comes back in.  The ASA views this as spoofed / not allowed and drops the connection.

You will need to set up hairpinning and NAT from inside to inside.

object network MAIL-SERVER-EXTERNAL

host

object network MAIL-SERVER-INTERNAL

host

object network LAN

subnet 208.x.x.0 255.255.255.0

same-security-traffic permit intra-interface

nat (inside,inside) source static LAN LAN desitnation static MAIL-SERVER-EXTERNAL MAIL-SERVER-INTERNAL

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

regex and grouping questions

That warning comes due to the dynamic NAT statement you already have.  If you are connected remotely, then I would suggest not applying this config at this time.  It would be best to do this when onsite and have physical access to the ASA incase you lose connectivity.  once you apply it, if traffic flow to the internet and to the all other resources are as expected then you can keep the configuration.  If not then remove it, of course.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

regex and grouping questions

Keep in mind that the configuration in that article is for ASA 8.2 and earlier.  The same configuration will not work on your ASA running version 9.1

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

regex and grouping questions

It is quite deceiving, it should say 8.3 and onwards if it is refering to the new way of configuring NAT.  The configuration you posted is pre 8.3.

https://supportforums.cisco.com/docs/DOC-9129

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
47 REPLIES
VIP Green

regex blocking all sites

Try using the match not keywords under the class map and then call that class map in the policy map

regex domain1 "\.yahoo\.com"

regex domain2 "\.google\.com"

class-map type regex match-any domain-list

match regex domain1

match regex domain2

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match not request uri regex class domain-list

policy-map type inspect http URL

class ALLOWED_URL_CLASS_MAP

drop

--

Please remember to rate and select a correct answer
New Member

regex blocking all sites

Thanks for the reply Marius, I'll give this a try.

New Member

Re: regex blocking all sites

Hi Marius, it still allows access to ebay.com, and myspace.com, I had typos at first but I carefully followed your instructions and the commnands worked but was still allowing access to the 2 sites I wanted to block.

here' the current policy entries;

ASA Version 9.1(2)8

regex ebay "\ebay\.com"
regex myspace "\myspace\.com"

object network obj-LAN
subnet 0.0.0.0 0.0.0.0

class-map type regex match-any domain-list
match regex ebay
match regex myspace
class-map type inspect http match-all ALLOWED_URL_CLASS_MAP
match not request uri regex class domain-list
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect http URL
parameters
class ALLOWED_URL_CLASS_MAP
  drop-connection
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global

Message was edited by: CARLO DOMINGUEZ

VIP Green

Re: regex blocking all sites

You need to not use the match not in this case.  The match not means that it will allow access to ebay and myspace but will drop all others.

Sorry I was a bit fast in my copy past and did not change the policy map.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

policy-map global_policy

class ALLOWED_URL_CLASS_MAP

drop-connection

By placing the class map under the global policy this will be applied to all interfaces

Please rate any helpful posts.

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

Hi Marius, I see so the match not command means to only allow what's on the domain-list, and then vice versa. And looks like it needs to also be put in the global policy group for it to take effect to all interfaces. I wasn't putting it in the global policy that's probably why I was having some issues when I first tried it, thanks I'll give it another try at the end of the day.

New Member

Re: regex blocking all sites

Hi Marius, I get this error when I add the class under the global policy, any ideas, thanks.

crxasa(config)# policy-map global_policy

crxasa(config-pmap)# class ALLOWED_URL_CLASS_MAP

ERROR: Specified class type is different from the policy-map type.

VIP Green

Re: regex blocking all sites

I forgot to add another policy map in the mix.  The below configuration should work.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

policy-map type inspect http HTTP_BLOCK_POLICY

parameters

class ALLOWED_URL_CLASS_MAP

  drop-connection

policy-map global_policy

class inspection_default

  inspect http HTTP_BLOCK_POLICY

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

Hi Marius, thanks for the reply, but somehow it won't work, it still allows ebay and myspace, here's my config of the policies.

regex ebay "\ebay\.com"

regex myspace "\myspace\.com"

!

class-map type regex match-any domain-list

match regex ebay

match regex myspace

class-map type inspect http match-all ALLOWED_URL_CLASS_MAP

match request uri regex class domain-list

class-map inspection_default

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect http HTTP_BLOCK_POLICY

parameters

class ALLOWED_URL_CLASS_MAP

  drop-connection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http HTTP_BLOCK_POLICY

!

service-policy global_policy global

Re: regex blocking all sites

Can you try this.

regex url1 "[e|E][b|B][a|A][y|Y]"

regex url2 "[g|G][o|O][o|O][g|G][l|L][e|E]"

!

class-map type inspect dns match-all web_url_policy

match domain-name regex url1

match domain-name regex url2

!

policy-map type inspect dns web_policy

class web_url_policy

  drop

!

policy-map global_policy

class inspection_default

  inspect dns web_policy

!

service-policy global_policy global

Please rate replies and mark question as "answered" if applicable.

Please rate replies and mark question as "answered" if applicable.
New Member

Re: regex blocking all sites

Thanks for the reply rr, I'll try this if the other ones don't work.

VIP Green

Re: regex blocking all sites

edit the regex entries.

regex ebay "*\.ebay\.com"

regex myspace "\.myspace\.com"

If that doesn't match, then try using the * infront of the domain.

regex ebay "*ebay\.com"

regex myspace "*myspace\.com"

Configuration looks correct, we just need to find the correct match parameter.

--

Please rate all helpful posts.

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

  I have another question on another command I seem to have trouble with, this is my first time hands on with ASA btw, so I'm just getting into the meat and potatoes of the asa just about over a month now.

  I read that you can group together udp and tcp, so I did that with grouping smtp, http. https. and domain to a set of host objects, but email won't go through, I think http worked though but somehow smtp won't unless I seperate it on one line. Any ideas?

VIP Green

Re: regex blocking all sites

Could you post the group objects in question as well as the access list you are using them in.  The following would is an example of how you would configure it.

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp host 10.10.10.1 any object-group SERVICES

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

Marius, thanks for the reply, I'm using the command service-object instead of port-object, I got it from my asa 2nd ed book off a sample. I'll try port-object and see what happens, it'll save me some time having to type seperate lines of command for each host.

object-group service server-services

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

access-list ACL_OUT_IN extended permit object-group server-services host 208.x.x.12 any

VIP Green

Re: regex blocking all sites

Your configuration is setting www, https and smtp as the protocol...not the ports.  Change it to the following

access-list ACL_OUT_IN extended permit tcp host 208.x.x.12 any object-group server-services

Also remember that most PCs will send traffic using a random high port as the source port, so you almost always want to match the ports to the destination.

is 208.x.x.12 the actual IP of the server or the NATed IP?  Also keep in mind that if you want your users to be able to access https, www and smtp form the internet, these ports need to be opened on the outside interface.

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

The server is nat'ed to an outside ip, I have it set that way already for the access-list syntax, it didn't work. Test email didnt go through. Seems to only like single line entries for each host and service.

VIP Green

Re: regex blocking all sites

Ok, please explaine what you are trying to do more.  Is the 208.x.x.12 server inside your network or is it a server on the internet that you want to open for traffic coming in?

Have you tried the configuration that I posted earlier?

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp host 10.10.10.1 any object-group SERVICES

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

regex and grouping questions

Yes, 208.x.x.12 is inside, it's an Exchange server that also has IIS running for OWA, so I need to have smtp, http, and https access incoming, I also have a terminal server, and others but that will have to wait.

  I'm just trying to get the basics running like web and email and blocking sites, It worked by using the command below but seems to have issues with grouping, the TAC engineer I was talking to said to use single entries but he wouldn't say why grouping won't work.


access-list ACL_OUT_IN line 1 permit tcp any host 208.x.x.12 eq www
VIP Green

Re: regex blocking all sites

I am not sure why the TAC engineer said to use single entries.  The only restriction is that you can not use the same static NATed port going from a single external IP to multiple internal IPs.  you should be able to use object group to define the ports and assign it to a single ACL statement.  I have done this several times.

Also from the post above, it looks like you are using ASA 9.1.  In this case your ACL configuration is a little wrong.  Prior to 8.3 you would use the public (NATed) IP when configuring and ACL on the outside interface.  As of 8.3 and higher you will need to use the real IP (private IP) when configuring ACLs.  This is due to the order in which actions are taken on the packet entering the ASA.  8.3 and higher, NAT happens before the ACL check when traffic enters the ASA.

Please add the following to your configuration just remember to add your server's actual IP, and if it is not already in the configuration, assign the ACL to the external interface where the traffic will ingress (often this is called the outside interface):

object-group service SERVICES tcp

port-object eq http

port-object eq https

port-object smtp

access-list MYACL extended permit tcp any host object-group SERVICES

access-group MYACL in interface outside

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

Marius, I do have the internal ip used in that access-list, but I caught my mistake of not putting any for the source, I had it switched below

access-list ACL_OUT extended permit tcp host 208.x.x.12(this is an internal ip) any object-group SERVER-PORTS = wrong syntax

access-list ACL_OUT extended permit tcp any host 208.x.x.12 object-group SERVER-PORTS = correct syntax

Message was edited by: CARLO DOMINGUEZ

New Member

Re: regex blocking all sites

You know what I think I just need reading glasses, I missed the dot before ebay, I only had a dot on .com, let me try again this time with "\.ebay\.com\"

VIP Green

Re: regex blocking all sites

Ok, Let us know how it goes with both the ACL and the URL filter

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

Hi guys, looks like I'm getting clear now on the access lists and groups, but I have a question on pinging, we're able to ping outside ip or sites with our current firewall, but even after I enabled inspect icmp on the asa, I can only ping from the asa within ssh, but not from any pc inside.

VIP Green

Re: regex blocking all sites

Do you have an ACL configured on the inside interface? If yes, have you allowed imp in this ACL?

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

Marius,

I see, I thought the inspect icmp command under global policy does that, ok I'll set it to groups that need it. Another question that I can't seem to figure out, we're running OWA on our Exchange server, inside and outside clients can't get to it still.

I have https and http set on the nat'ed email servers, though on the juniper it has a setting for IIS that you can select to add on the policy, this is besides http and https. I don't see a setting for those in the ASA, Thanks again.

VIP Green

Re: regex blocking all sites

The thing is that if there is an ACL configured on the interface it is still checked even if there is an inspect configured.  If you do not have any ACL configured on the interface then the inspect policy will be the thing that permits or denies traffic from an interface that has a higher security level to a lower security level.

As for the email servers, could you post your NAT statements for the email server as well as the ACL for the inside and outside interfaces.  To get OWA working you need to NAT both https and smtp.  Also make sure that https and smtp are allowed in the access list from inside to outside, as well as from outside to inside.

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

Re: regex blocking all sites

ok gotcha, I don't have an outgoing access-list for smtp and http, I'll have to add those, I'll get back to this on Mon, thanks Marius.

carlo

New Member

Re: regex blocking all sites

Marius,

Here's my current config for access-list and object-groups, I tested it just now seems like I have some issues to iron out, so far the only things that worked are access incoming to the OWA site, websites, and email, but somehow port 3389 for remote desktop didn't, my remote office said they got disconnected, I told them to try again, but it won't re-converge, or reconnect. Also from inside to my OWA server didn't work either, Any ideas, thanks in advanced.

crxasa# sh run access-li
access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER
access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389
access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP
access-list ACL_OUT extended permit udp any object-group MAILSERVERS object-group UDP
access-list ACL_IN extended permit tcp object-group MAILSERVERS object-group TCP any
access-list ACL_IN extended permit udp object-group MAILSERVERS object-group UDP any
crxasa# sh run access-gro
access-group ACL_OUT in interface outside
access-group ACL_IN out interface inside
crxasa# sh run obj
object network obj-LAN
subnet 0.0.0.0 0.0.0.0
object network cirexxintldc
host 208.x.x.12
object network sharks
host 208.x.x.5
object network cirexxintl
host 208.x.x.85
object network crxmail
host 208.x.x.3
object network svr-sales
host 208.x.x.94

crxasa# sh run object-gr
object-group service TCP tcp
description domain,http,smtp services
port-object eq www
port-object eq https
port-object eq domain
port-object eq smtp
object-group service WEBSERVER tcp
description ftp,http,https services
port-object eq www
port-object eq https
port-object eq ftp
object-group network MAILSERVERS
network-object host 208.x.x.12
network-object host 208.x.x.3
object-group network DNS-SERVERS
network-object host 208.x.x.12
network-object host 208.x.x.5
object-group service UDP udp
port-object eq domain
port-object eq www

New Member

Re: regex blocking all sites

Here you go, I created a seperate tcp and ucp object group and added those to my email servers, group called mailservers. On the icmp thing, I didn't have an acl for any inside clients but servers only, so shouldn't the global rule for inspect icmp work then?

crxasa# sh run nat

!

object network obj-LAN

nat (inside,outside) dynamic interface

object network cirexxintldc

nat (inside,outside) static 12.x.x.35

object network sharks

nat (inside,outside) static 12.x.x.37

object network cirexxintl

nat (inside,outside) static 12.x.x.36

object network crxmail

nat (inside,outside) static 12.x.x.43

object network svr-sales

nat (inside,outside) static 12.x.x.49

crxasa# sh run access-li

access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER

access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389

access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP

access-list ACL_OUT extended permit udp any object-group MAILSERVERS object-group UDP

access-list ACL_IN extended permit udp object-group DNS-SERVERS any eq domain

access-list ACL_IN extended permit tcp object-group DNS-SERVERS any eq domain

crxasa# sh run access-gr
access-group ACL_OUT in interface outside
access-group ACL_IN out interface inside

1137
Views
0
Helpful
47
Replies
CreatePlease to create content