cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1823
Views
0
Helpful
3
Replies

ASA 5510 8.2(1) Using hostnames in access-lists?

Adam Hudson
Level 1
Level 1

I need to allow a specifc hostname through my firewall. I found this article: https://supportforums.cisco.com/docs/DOC-17014

But it's only for 8.4 updated ASA's and above.

Doing more research, I found this article: http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm
And have been trying to reverse engineer it. Am I on the right track?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hello Adam,

Here is the configuration you need:

Access-list test permit tcp any any eq 80

Regex google  \.google\.com

policy-map type inspect http GOOGLE

parameters

match not request header host regex GOOGLE

  reset log

class-map TEST

match access-list test

policy-map global_policy

class TEST

inspect http GOOGLE

Regards

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Adam,

Well it's completely different.

On 8.4.2 you will be able to use FQDN on an ACL, the second option it's to use a deep packet inspection ( from layer 4 to 7) in order to match an HTTP request and drop the traffic as the example shown there.

If you want to use FQDN on ACL's then the only solution would be to upgrade to 8.4.2

If what you are looking for is a way to deny or allow traffic based on domain name then the layer 7 inspection should do it

Regards,

Julio

Rate all the helfpul posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Do you have a sample config of how I would set the layer 7 inspection up?

Thanks for responding quickly.

Hello Adam,

Here is the configuration you need:

Access-list test permit tcp any any eq 80

Regex google  \.google\.com

policy-map type inspect http GOOGLE

parameters

match not request header host regex GOOGLE

  reset log

class-map TEST

match access-list test

policy-map global_policy

class TEST

inspect http GOOGLE

Regards

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: