cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1397
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA 5510 8.2(1) Using hostnames in access-lists?

I need to allow a specifc hostname through my firewall. I found this article: https://supportforums.cisco.com/docs/DOC-17014

But it's only for 8.4 updated ASA's and above.

Doing more research, I found this article: http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm
And have been trying to reverse engineer it. Am I on the right track?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 5510 8.2(1) Using hostnames in access-lists?

Hello Adam,

Here is the configuration you need:

Access-list test permit tcp any any eq 80

Regex google  \.google\.com

policy-map type inspect http GOOGLE

parameters

match not request header host regex GOOGLE

  reset log

class-map TEST

match access-list test

policy-map global_policy

class TEST

inspect http GOOGLE

Regards

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3 REPLIES 3

ASA 5510 8.2(1) Using hostnames in access-lists?

Hello Adam,

Well it's completely different.

On 8.4.2 you will be able to use FQDN on an ACL, the second option it's to use a deep packet inspection ( from layer 4 to 7) in order to match an HTTP request and drop the traffic as the example shown there.

If you want to use FQDN on ACL's then the only solution would be to upgrade to 8.4.2

If what you are looking for is a way to deny or allow traffic based on domain name then the layer 7 inspection should do it

Regards,

Julio

Rate all the helfpul posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

ASA 5510 8.2(1) Using hostnames in access-lists?

Do you have a sample config of how I would set the layer 7 inspection up?

Thanks for responding quickly.

ASA 5510 8.2(1) Using hostnames in access-lists?

Hello Adam,

Here is the configuration you need:

Access-list test permit tcp any any eq 80

Regex google  \.google\.com

policy-map type inspect http GOOGLE

parameters

match not request header host regex GOOGLE

  reset log

class-map TEST

match access-list test

policy-map global_policy

class TEST

inspect http GOOGLE

Regards

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC