Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
0
Helpful
5
Replies

Need allow Webserver App to Communicate with Google reCaptcha

dissai
Level 1
Level 1

‎05-02-2024 12:25 AM

Dear Community,

I am running Cisco ASA 9.8. I have an app server sitting in the DM Zone that needs to be authenticated with Google Service (reCAPTCHA) only, but I am not allowing the internet service, not the application server. 

I have tried to apply the below configuration. I do not see any hits on it. Kindly assist to guide. 

 

object network GOOGLE_RECAPTACHA
fqdn winda.water.co.tz

object-group network GOOGLE_NETWORK
network-object 35.190.247.0 255.255.255.0
network-object 64.233.160.0 255.255.224.0
network-object 66.102.0.0 255.255.240.0
network-object 66.249.80.0 255.255.240.0
network-object 72.14.192.0 255.255.192.0
network-object 74.125.0.0 255.255.0.0
network-object 108.177.8.0 255.255.248.0
network-object 173.194.0.0 255.255.0.0
network-object 216.58.192.0 255.255.224.0
network-object 216.239.32.0 255.255.224.0
network-object object GOOGLE_RECAPTCHA


object-group network DMZ_SVR1
network-object host 172.16.10.70

access-list outside_access_in extended permit ip object-group GOOGLE_NETWORK object-group DMZ_SVR1

access-group outside_access_in in interface outside

 

 

 

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎05-02-2024 12:45 AM

First i would check from ASA am i able to resolve that domain ?

where is the rule used for this 

object network GOOGLE_RECAPTACHA

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/216553-understand-the-working-of-dns-on-asa-whe.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dissai
Level 1
Level 1
In response to balaji.bandi

‎05-02-2024 01:10 AM

Hello Balaji,

Thank you for getting back to me. Below is the output

FW(config)#
FW(config)# show dns
Name: google.com
Address: 172.217.170.206 TTL 00:00:14
Address: 216.58.223.78 TTL 00:04:44
Name: winda.water.co.tz
Address: 200.210.55.70 TTL 00:10:46
FW(config)#
FW(config)# show run acc
FW(config)# show run access-list | in GOOGLE_RECAPTACHA
access-list outside_access_in extended permit ip object GOOGLE_RECAPTACHA
object-group DMZ_SVR1
FW(config)#
FW(config)#
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to dissai

‎05-02-2024 04:03 AM

i was not clear your ACL it says outside access in ?

but the source is from inside to outside right ?

am i missing something here ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dissai
Level 1
Level 1
In response to balaji.bandi

‎05-02-2024 06:44 AM

Hi,

I have changed the access-list as per below. Still not able to authenticate
with google when login.
Error message: The site can not be reached.

FW(config)# show run access-list | include DMZ_SVR1
access-list outside_access_in extended permit ip object-group DMZ_SVR1
object GOOGLE_RECAPTACHA
access-list outside_access_in extended permit ip object-group DMZ_SVR1
object-group GOOGLE_NETWORK
FW(config)#

FW(config)# show run access-group | include outside
access-group outside_access_in in interface outside
FW(config)#
FW(config)#

ID
0 Helpful

dissai
Level 1
Level 1
In response to dissai

‎05-07-2024 03:37 AM

Hello Community,

 

I am still searching for the solution for my case.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card