topic Re: Allow a URL through ASA using MPF in Network Security

Allow a URL through ASA using MPF

ahassiotis1 — Mon, 11 Mar 2019 18:39:28 GMT

Dear All,

I need to be able to allow access from a host in my internal network, 192.168.116.33 to gmail.com on TCP port 533.

The traffic is actually http but different port is used.

Is it possible to do this using MPF?

All other traffic should remain unaffected.

Regards,

Re: Allow a URL through ASA using MPF

Panos Kampanakis — Mon, 13 Sep 2010 15:14:27 GMT

Yes, it can be done.

But do you want to block all other http traffic on that port?

https://supportforums.cisco.com/docs/DOC-1268 has all the possible scenarios you might need to implement.

I hope it helps.

Re: Allow a URL through ASA using MPF

ahassiotis1 — Mon, 13 Sep 2010 16:02:29 GMT

Hi Pano,

I've come accross your post.

The difference in my case is the TCP port, it's not 80 but 533. Do I just replace eq www with eq 533 in the user-acl?

I guess I also need a 'match not'.

Finally, do I need to configure my inside_access_in access-list to allow traffic as shown below? Or is this not necessary?

Here is how I am thinking it should be:

regex domainlist1 "\.google\.com"

access-list inside_access_in permit tcp host 192.168.233.119 any eq 533
access-list inside_url_filter extended permit tcp host 192.168.233.119 any eq 533

class-map type regex match-any DomainAllowList
match regex domainlist1

class-map type inspect http match-all AllowDomainsClass
match not request header host regex class DomainAllowList

class-map httptraffic
match access-list inside_url_filter

policy-map type inspect http http_inspection_policy
class AllowDomainsClass
drop-connection log

policy-map inside-policy
class httptraffic
inspect http http_inspection_policy

service-policy inside-policy interface inside

Regards,

Re: Allow a URL through ASA using MPF

Panos Kampanakis — Mon, 13 Sep 2010 18:29:42 GMT

The difference in my case is the TCP port, it's not 80 but 533. Do I just replace eq www with eq 533 in the user-acl?

Yes, that is correct.

regex domainlist1 "\.google\.com"

access-list inside_access_in permit tcp host 192.168.233.119 any eq 533
access-list inside_url_filter extended permit tcp host 192.168.233.119 any eq 533

class-map type regex match-any DomainAllowList
match regex domainlist1

class-map type inspect http match-all AllowDomainsClass
match not request header host regex class DomainAllowList

class-map httptraffic
match access-list inside_url_filter

policy-map type inspect http http_inspection_policy
class AllowDomainsClass
drop-connection log

policy-map inside-policy
class httptraffic
inspect http http_inspection_policy

service-policy inside-policy interface inside

This config only allow users using port 533 to browse to google.com only. If that is what you want to do, this is config will work.

Please rate the answer if it solves your issue, so that future users can benefit from this thread.

Kalo xeimwna...

Re: Allow a URL through ASA using MPF

ahassiotis1 — Tue, 14 Sep 2010 10:10:28 GMT

Doesn't this config act on source IP 192.168.233.119 and destination port 533 only?

I would have thought all other souce users don't get inspected from this MFP config.

Also, I guess I still need the inside_access_in access list, right?

Re: Allow a URL through ASA using MPF

Panos Kampanakis — Tue, 14 Sep 2010 12:56:40 GMT

You are right. My tongue slipped when I said it is for all port 533. It is for source that ip to that port.

The interface ACL is still needed to allow what you need to allow in general on a per packet basis.

I hope it makes sense.

If it solves the issue please mark the question as answered so that other can benefit in the future from it.