Re: ASA regex in access rule.

jbsd · ‎03-13-2018

Hi,

Is there any way to perform this with regex?

- We have to allow http access to hosts .175 and .176 of 10.18.[0->254].0/24 10.19.[0->254].0/24 and 10.20.[0->254].0/24.

Any clue?.

Thanks in advance!.

Javier.

Seb Rupik · ‎03-13-2018

Hi Javier,

It would be a nice feature, but regex on the ASA only supports URL filtering.

What you are after can be achieved with extended ACLs and object-groups. Just to be clear you want hosts with IP addresses ending .175 and .176 in every /24 subnet belonging to the three /16 subnets specified to be accessible on TCP/80 and TCP/443?

ie:

10.18.0.175

10.18.0.176

10.18.1.175

...

10.18.254.175

10.18.254.176

cheers,

Seb.

jbsd · ‎03-13-2018

Hi Seb,

First of all, thanks for your nice answer!. That's correct, the access rule must allow http/https traffic for .175 and .176 hosts of every /24 subnet that belongs to the three /16 subnets.

ie.

10.18.0.175 to 10.18.254.175 - 10.18.0.176 to 10.18.254.176

10.19.0.175 to 10.19.254.175 - 10.19.0.176 to 10.19.254.176

10.20.0.175 to 10.20.254.175 - 10.20.0.176 to 10.20.254.176

Regards!

Javier.

Mohammed al Baqari · ‎03-13-2018

It is doable. When you access these URLs the host header in HTTP request
will be as the URL. For example http://10.18.0.175 the host header will be
10.18.0.175

You can create as below.

regex 18 10\.18\.(0 | 254)\.17[56]
regex 19 10\.19\.(0 | 254)\.17[56]
regex 20 10\.20\.(0 | 254)\.17[56]
!
class-map type inspect http match-all Block_All
match not request header host regex 18
match not request header host regex 19
match not request header host regex 20
!
policy-map type inspect http Block_All
parameters
class Block_All
drop-connection log
!
policy-map global_policy
class inspection_default
inspect http Block_All

Mohammed al Baqari · ‎03-13-2018

Although its not ACL to allow or block but it gives same result which is
allowing HTTP access to these hosts only.