cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


265
Views
10
Helpful
5
Replies
Highlighted
Beginner

URL Whiltelisting on ASA without FirePOWER license

Hi

We want to deny all outbound web access except to a group of about 10 whitelist URL domains on an ASA 5525-X with FirePOWER services. Is it possible to do this on the ASA without an add-on FirePower license? Will this have a significant performance impact?

5 REPLIES 5
Beginner

Re: URL Whiltelisting on ASA without FirePOWER license

It is possible to create an object within the ASA using a FQDN. To do this the ASA has to be able to resolve names.

 

 

dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 domain-name company.com

 

Example of a FQDN object

 

object network site.example.com
 fqdn site.example.com

 

You then put this into an ACL. i.e. access-list inside-in extended permit tcp object inside-networks object site.example.com eq www

 

Note issues will occur if a site utilises global load balancers, where your inside clients resolve site.example.com as xyz but the ASA gets the IP zyx. Also, you can't do wildcards i.e. *.microsoft.com

 

Ultimately, if it's really basic you can do it. Otherwise you need something designed for a web gateway.

 

Joel

Beginner

Re: URL Whiltelisting on ASA without FirePOWER license

Thank you very much for your suggestion. Unfortunately it doesn't work in our case because we have multiple target hosts within a domain, which need to be expressed as a wildcard - for example *.anynet.network.com . As the FQDN is based on a DNS lookup, wildcards don't work.



Sorry for not making my initial query clearer



Peter
Beginner

Re: URL Whiltelisting on ASA without FirePOWER license

Hi Balaji



Thank you very much for your suggestions. Do you know if this will require a FirePOWER license, and if so, which one?


Hall of Fame Guru

Re: URL Whiltelisting on ASA without FirePOWER license

The MPF/regex-based approach doesn't require the Firepower service module at all. No special ASA license is required - just the base software.

 

I almost never see it in use in live networks though as it never caught on since it's so burdensome to configure.

 

A much more sustainable solution is to use Firepower with URL Filtering or, better yet, Cisco Umbrella.