06-19-2008 05:07 AM - edited 03-11-2019 06:01 AM
How do I create an ACL that would only allow specific sites to go through if I didn't know the IP and only know the DNS name. Say I want to allow only these two sites *.cisco.com and *.yahoo.com then block all others. Can I do that?
This is on an ASA 5510.
Solved! Go to Solution.
06-19-2008 05:33 AM
06-19-2008 05:33 AM
AFAIK this is not supported on the ASA/PIX.
Regards
Farrukh
06-19-2008 06:22 AM
Hello,
Modular policy framework allow you to do that.
Please check the document below at the section HTTP inspection policy map
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/asacfg72.pdf
Regards
06-19-2008 08:42 AM
amadoutoure, how does MPF achive that? Can you expand upon your comment.
How will MPF keep track of the DNS entry of cisco.com (which say changes frequently).
Ever did a nslookup on google.com (you get multiple IPs)?
We do this on one of our Customer's Netscreen ISG tough, it supports this.
Regards
Farrukh
06-19-2008 09:04 AM
Hello,
I'm out of office for now and I'll send a sample config as soon as I go back to office.
It will be done using regex syntax.
Regards
06-19-2008 09:19 AM
Oh I get your point now. Thanks for waking me up now. Even tough its not as flexible as a proper filtering solution (because since we are denying based on hostname, the user can simply open the URL by IP, open google's cache etc.):
policy-map type inspect http TEST_HTTP
parameters
match request uri regex cisco.com
.....
Something like this:
Regards
Farrukh
06-19-2008 09:41 AM
Hello,
Right it's something like that... you have a very good point with accessing directly with IP address in URL.
But you could filter by content-type and application header and aslo deny accessing with IP address in url.
http://www.cisco.com/warp/public/110/asa-8x-regex-config.html
However you're definitely right that it's not the finest way to filter.
Regards
06-19-2008 06:20 AM
url filtering possible in ASA using Cisco ASA 5500 Series Content Security Edition.
pls go thru this link.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide