Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

URL permit through firewall

hi,

 

we have requirement to permit some url like on port no. 50000

 

elink-a26.bankofamerica.com

b2b.dolgn.net

12.155.249.X

gem.carrey.com

 

 

my asa version 8.6

 

how can i permit these URL in asa port no 50000. please help

 

regards

rajat

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

I have provided a solution

I have provided a solution for access-list on the outside interface using the URL in my previous post.  I have limited the configuration to only one FQDN to keep the post short.  you could group them all together in a object-group but then you would need to create a seperate object for each FQDN and then call that object into the object-group:

object network SITE1
  fqdn b2b.dolgn.net

object-group network GROUP
  network-object object SITE1
  network-object host 12.155.249.X

access-list ACL1 permit tcp object-group GROUP any eq 50000

access-group ACL1 in interface outside

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
7 REPLIES
VIP Green

You do not specify if these

You do not specify if these URLs are your own or you want to allow access to these for your users but then block all other traffic?

Please explain in more detail what you are trying to accomplish.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

hi,these URLs are not owned

hi,

these URLs are not owned by us.

we want to allow access to these for our users.

 

please help

 

regards

rajat

VIP Green

So, you are already

So, you are already restricting access to the internet for your users?  Or is this a new ASA being setup?  In many setups local users will have full access out to the internet so this would not be an issue.

But you could use FQDN in access lists if you are restricting access already...just be sure that the ASA is configured with DNS server IPs so that it can do DNS lookups.

If the above is the case then you could do something like the following:

name-server 192.168.1.1 192.168.1.2  <---configure DNS servers on the ASA

object network SITE1
  fqdn b2b.dolgn.net

access-list ACL1 permit tcp any object SITE1 eq 50000

access-group ACL1 in interface inside

Keep in mind that all ACLs have an implicit deny any any at the end of it so if you require your users to access other networks/IPs through the ASA then this must also be permitted in the ACL.

If this is not what you are looking for, please provide a detailed description of your network and exactly what you are trying to acomplish.  The more details the better.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

 Hi, actually below are the

 

Hi,

 

actually below are the URL that we are allowing on outside interface

we are putting ISP dns that has to resolve below url and we have to apply access-list on outside interface. please if possible provide solution according to requirement.

 

 

elink-a26.bankofamerica.com

b2b.dolgn.net

12.155.249.X

gem.carrey.com

VIP Green

I have provided a solution

I have provided a solution for access-list on the outside interface using the URL in my previous post.  I have limited the configuration to only one FQDN to keep the post short.  you could group them all together in a object-group but then you would need to create a seperate object for each FQDN and then call that object into the object-group:

object network SITE1
  fqdn b2b.dolgn.net

object-group network GROUP
  network-object object SITE1
  network-object host 12.155.249.X

access-list ACL1 permit tcp object-group GROUP any eq 50000

access-group ACL1 in interface outside

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

thanks a lot marius

thanks a lot marius

VIP Green

Any time :-)Thank you for the

Any time :-)

Thank you for the rating

--

Please remember to rate and select a correct answer
77
Views
0
Helpful
7
Replies
CreatePlease to create content