Hello,
I have a Cisco ASA 5506-X with the SFR module enabled. We have an internal webserver that we only want certain domains on the outside (internet) to be able to access.
I have configured the Cisco ASA portion with the correct ASA ACL, NAT'ing, and the Class and Policy Maps to direct all IP traffic to the SFR module for further processing. I am configuring the SFR from the ASA ASDM. I see the traffic is going to it fine, however I am unable to get it to recognize all the approved traffic that is coming to it, and therefore some of it gets dropped.
Here is my ASA and SFR config pseudo-code:
- ASA ACL: Allow all HTTPS inbound on the outside interface.
- ASA NAT: NAT outside public IP HTTPS to inside webserver IP (both directions).
- ASA Class and Policy Maps: Send all IP traffic to the SFR module (fail-open).
- SFR ACP:
- Allow any source going to internal network, from allowed domains
- Allow internal network, going to any destination, over HTTPS and DNS(TCP/UDP).
- SFR License: purchased and installed Web Filtering license, although not needed as it turns out.
However, when I run a test of this configuration, I still see that the SFR module is recommending that the traffic from the allowed domains to be dropped (some, but not all).
I think I know why this is happening. Since the domains we are trying to allow are actually a cluster of IPs (not all of which are listed under an nslookup for that particular domain), when the SFR sees an IP address and tries to see if it is one of the IP addresses for the allowed domains, it will fail. What I need, is the SFR to do a reverse-DNS lookup on the actual IP address, instead of comparing it to the 2 or 3 IP addresses listed under a domain's nslookup.
Is there any way to solve or get around this issue?
Thanks!
