09-24-2018 06:43 AM - edited 02-21-2020 08:16 AM
Hi
We want to deny all outbound web access except to a group of about 10 whitelist URL domains on an ASA 5525-X with FirePOWER services. Is it possible to do this on the ASA without an add-on FirePower license? Will this have a significant performance impact?
09-24-2018 07:47 AM
It is possible to create an object within the ASA using a FQDN. To do this the ASA has to be able to resolve names.
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.x.x
domain-name company.com
Example of a FQDN object
object network site.example.com
fqdn site.example.com
You then put this into an ACL. i.e. access-list inside-in extended permit tcp object inside-networks object site.example.com eq www
Note issues will occur if a site utilises global load balancers, where your inside clients resolve site.example.com as xyz but the ASA gets the IP zyx. Also, you can't do wildcards i.e. *.microsoft.com
Ultimately, if it's really basic you can do it. Otherwise you need something designed for a web gateway.
Joel
09-24-2018 07:56 AM
09-24-2018 01:40 PM
You can build one as example shown below document.
09-25-2018 04:44 AM
09-25-2018 06:33 AM
The MPF/regex-based approach doesn't require the Firepower service module at all. No special ASA license is required - just the base software.
I almost never see it in use in live networks though as it never caught on since it's so burdensome to configure.
A much more sustainable solution is to use Firepower with URL Filtering or, better yet, Cisco Umbrella.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: