Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1769
Views
10
Helpful
5
Replies

URL Whiltelisting on ASA without FirePOWER license

PETER NEGUS
Level 1
Level 1

‎09-24-2018 06:43 AM - edited ‎02-21-2020 08:16 AM

Hi

We want to deny all outbound web access except to a group of about 10 whitelist URL domains on an ASA 5525-X with FirePOWER services. Is it possible to do this on the ASA without an add-on FirePower license? Will this have a significant performance impact?

0 Helpful
5 Replies 5

Joel
Level 1
Level 1

‎09-24-2018 07:47 AM

It is possible to create an object within the ASA using a FQDN. To do this the ASA has to be able to resolve names.

 

 

dns domain-lookup inside
dns server-group DefaultDNS
 name-server x.x.x.x
 domain-name company.com

 

Example of a FQDN object

 

object network site.example.com
 fqdn site.example.com

 

You then put this into an ACL. i.e. access-list inside-in extended permit tcp object inside-networks object site.example.com eq www

 

Note issues will occur if a site utilises global load balancers, where your inside clients resolve site.example.com as xyz but the ASA gets the IP zyx. Also, you can't do wildcards i.e. *.microsoft.com

 

Ultimately, if it's really basic you can do it. Otherwise you need something designed for a web gateway.

 

Joel

PETER NEGUS
Level 1
Level 1
In response to Joel

‎09-24-2018 07:56 AM

Thank you very much for your suggestion. Unfortunately it doesn't work in our case because we have multiple target hosts within a domain, which need to be expressed as a wildcard - for example *.anynet.network.com . As the FQDN is based on a DNS lookup, wildcards don't work.



Sorry for not making my initial query clearer



Peter
0 Helpful

PETER NEGUS
Level 1
Level 1
In response to balaji.bandi

‎09-25-2018 04:44 AM

Hi Balaji



Thank you very much for your suggestions. Do you know if this will require a FirePOWER license, and if so, which one?


0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to PETER NEGUS

‎09-25-2018 06:33 AM

The MPF/regex-based approach doesn't require the Firepower service module at all. No special ASA license is required - just the base software.

 

I almost never see it in use in live networks though as it never caught on since it's so burdensome to configure.

 

A much more sustainable solution is to use Firepower with URL Filtering or, better yet, Cisco Umbrella.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card