cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


8616
Views
0
Helpful
8
Replies
Beginner

ASA Wildcard FQDN object acl

Hello,

I have a requirement to allow a internal server (LAN segment 172.16.x.x) for fetching WSUS updates. Microsoft has provided a handful of URL's which even includes FQDN with wildcards. Can anyone help how to achieve this.

URLS

http://*.update.microsoft.com"

http://*.windowsupdate.com"

http://*.windowsupdate.microsoft.com"

http://crl.microsoft.com"

http://download.windowsupdate.com"

http://ntservicepack.microsoft.com"

http://test.stats.update.microsoft.com"

http://windowsupdate.microsoft.com"

https://*.update.microsoft.com

https://*.windowsupdate.microsoft.com

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

You're welcome.

You're welcome.

That's correct - https inspection can be done by FirePOWER but it causes a very big performance degradation and requires some measures that most smaller shops don't have the wherewithal to undertake.

Let me know if you would like more explanation or, if your question has been answered, please mark it so.

8 REPLIES 8
Hall of Fame Master

You cannot do this with an

You cannot do this with an access-list and a network object of type FQDN. That is because

The FQDN must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/f2.html#pgfId-2058089

It would be technically possible to use http inspection with a regex (regular expression) but that solution is not recommended as it does not perform very well at scale or speed.

The best approach would be to use a proper web filtering appliance or tool - either the Cisco WSA or the URL Filtering feature of ASA FirePOWER services.

You could also do it using Cisco Umbrella (former OpenDNS product) if it is deployed in a way that it integrates with your AD. Servers could then be in a group that whitelisted those FQDNs while all other machines were blacklisted from them.

Beginner

Hi Marvin,

Hi Marvin,

Thanks for the response. Even I was in similar thoughts as it does not support wildcard. Moreover it also says to have https service allowed. I don't think ASA can do inspection of HTTPS traffic. 

Hall of Fame Master

You're welcome.

You're welcome.

That's correct - https inspection can be done by FirePOWER but it causes a very big performance degradation and requires some measures that most smaller shops don't have the wherewithal to undertake.

Let me know if you would like more explanation or, if your question has been answered, please mark it so.

Participant

Re: You cannot do this with an

@Marvin Rhoads ... I am assuming you meant that the FQDN type would not work with wildcard only but would work with regular url; such as, www.cisco.com, correct?

 

Also, I am required to add a BYPASS acl to include about 450 urls that was provided to us by Microsoft. Is there any performance or utilization issues that might occur as a result of using this high number of urls? 

 

Thanks in advance!!

Hall of Fame Master

Re: You cannot do this with an


@zekebashi wrote:

@Marvin Rhoads ... I am assuming you meant that the FQDN type would not work with wildcard only but would work with regular url; such as, www.cisco.com, correct?

 

Also, I am required to add a BYPASS acl to include about 450 urls that was provided to us by Microsoft. Is there any performance or utilization issues that might occur as a result of using this high number of urls? 

#1 - correct.

#2 - on what platform?

Highlighted
Participant

Re: You cannot do this with an

On ASA5585....

 

Thanks in advance.

 

Hall of Fame Master

Re: You cannot do this with an

ASA 5585-X with Firepower service module? With URL filtering license?

If so, the URL filtering to allow the Microsoft list should work fine - that's what it's designed to do.

Participant

Re: You cannot do this with an

Unfortunately, not with FP service module nor URL filtering.

That's the reason why we are considering to create BYPASS list for all MS FQDNs and IP/Subnets. Out concern is the FQDN dns to IP resolution and what impact it might have on the CPU and Mem!