Solved: Re: Allow a URL through ASA using MPF

ahassiotis1 · ‎09-13-2010

Dear All,

I need to be able to allow access from a host in my internal network, 192.168.116.33 to gmail.com on TCP port 533.

The traffic is actually http but different port is used.

Is it possible to do this using MPF?

All other traffic should remain unaffected.

Regards,

A.

Panos Kampanakis · ‎09-14-2010

You are right. My tongue slipped when I said it is for all port 533. It is for source that ip to that port.

The interface ACL is still needed to allow what you need to allow in general on a per packet basis.

I hope it makes sense.

If it solves the issue please mark the question as answered so that other can benefit in the future from it.

PK

View solution in original post

Panos Kampanakis · ‎09-13-2010

Yes, it can be done.

But do you want to block all other http traffic on that port?

https://supportforums.cisco.com/docs/DOC-1268 has all the possible scenarios you might need to implement.

I hope it helps.

PK

ahassiotis1 · ‎09-13-2010

Hi Pano,

I've come accross your post.

The difference in my case is the TCP port, it's not 80 but 533. Do I just replace eq www with eq 533 in the user-acl?

I guess I also need a 'match not'.

Finally, do I need to configure my inside_access_in access-list to allow traffic as shown below? Or is this not necessary?

Here is how I am thinking it should be:

regex domainlist1 "\.google\.com"

access-list inside_access_in permit tcp host 192.168.233.119 any eq 533
access-list inside_url_filter extended permit tcp host 192.168.233.119 any eq 533

class-map type regex match-any DomainAllowList
match regex domainlist1

class-map type inspect http match-all AllowDomainsClass
match not request header host regex class DomainAllowList

class-map httptraffic
match access-list inside_url_filter

policy-map type inspect http http_inspection_policy
class AllowDomainsClass
drop-connection log

policy-map inside-policy
class httptraffic
inspect http http_inspection_policy

service-policy inside-policy interface inside

Regards,

A.

Panos Kampanakis · ‎09-13-2010

The difference in my case is the TCP port, it's not 80 but 533. Do I just replace eq www with eq 533 in the user-acl?

Yes, that is correct.

regex domainlist1 "\.google\.com"

access-list inside_access_in permit tcp host 192.168.233.119 any eq 533
access-list inside_url_filter extended permit tcp host 192.168.233.119 any eq 533

class-map type regex match-any DomainAllowList
match regex domainlist1

class-map type inspect http match-all AllowDomainsClass
match not request header host regex class DomainAllowList

class-map httptraffic
match access-list inside_url_filter

policy-map type inspect http http_inspection_policy
class AllowDomainsClass
drop-connection log

policy-map inside-policy
class httptraffic
inspect http http_inspection_policy

service-policy inside-policy interface inside

This config only allow users using port 533 to browse to google.com only. If that is what you want to do, this is config will work.

Please rate the answer if it solves your issue, so that future users can benefit from this thread.

Kalo xeimwna...

PK

ahassiotis1 · ‎09-14-2010

Doesn't this config act on source IP 192.168.233.119 and destination port 533 only?

I would have thought all other souce users don't get inspected from this MFP config.

Also, I guess I still need the inside_access_in access list, right?

Panos Kampanakis · ‎09-14-2010

You are right. My tongue slipped when I said it is for all port 533. It is for source that ip to that port.

The interface ACL is still needed to allow what you need to allow in general on a per packet basis.

I hope it makes sense.

If it solves the issue please mark the question as answered so that other can benefit in the future from it.

PK