09-24-2018 06:43 AM - edited 02-21-2020 08:16 AM
Hi
We want to deny all outbound web access except to a group of about 10 whitelist URL domains on an ASA 5525-X with FirePOWER services. Is it possible to do this on the ASA without an add-on FirePower license? Will this have a significant performance impact?
09-24-2018 07:47 AM
It is possible to create an object within the ASA using a FQDN. To do this the ASA has to be able to resolve names.
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.x.x
domain-name company.com
Example of a FQDN object
object network site.example.com
fqdn site.example.com
You then put this into an ACL. i.e. access-list inside-in extended permit tcp object inside-networks object site.example.com eq www
Note issues will occur if a site utilises global load balancers, where your inside clients resolve site.example.com as xyz but the ASA gets the IP zyx. Also, you can't do wildcards i.e. *.microsoft.com
Ultimately, if it's really basic you can do it. Otherwise you need something designed for a web gateway.
Joel
09-24-2018 07:56 AM
09-24-2018 01:40 PM
You can build one as example shown below document.
09-25-2018 04:44 AM
09-25-2018 06:33 AM
The MPF/regex-based approach doesn't require the Firepower service module at all. No special ASA license is required - just the base software.
I almost never see it in use in live networks though as it never caught on since it's so burdensome to configure.
A much more sustainable solution is to use Firepower with URL Filtering or, better yet, Cisco Umbrella.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide