Query regarding URL in ACL for outbound HTTP

ankurs2008 · ‎05-12-2010

Hi halijenn / pkampana / all

Users -> ASA -> Server (www.training.com)

I have a query for HTTP Outbound traffic .Is there is a way in ASA to allow outbound HTTP to a URL/URI instead of an IP address i.e to allow the URL / domain in the ACL.The reason being that outside server www.training,com has multiple IP Address which keeps on changing , hence the outbound ACLs object-group has to be modified accordingly to include the new IP Address every time .

I can see only 1 solution

1) Donot apply any ACL on inside interface for outbound traffic and restrict it with inspect http <L7 Policy map name> by specifying regex as www.training.com .Else i can still specify the outbound acl but on the basis of the first three octet i.e if the public ip of the server is 198.23.41.1 till 198.23.41.10 (consider that the IP addresses is always in this range) then i can specify the range 198.23.41.0/24 in the access-list destination traffic

and combine it again with inspect http <L7 Policy map name>

Please let me know if there is any other way to accomplish this.

Federico Coto Fajardo · ‎05-12-2010

To specify access to an URL on the ASA the only way is with the regex and HTTP inspection as you mentioned.

Using an ACL only allows you to define IP addresses (which not work well for domain names as they constantly can change).

The ASA can do URL-filtering against a third-party URL filtering server but this will require another device.

If you want to do this solely on the ASA, go for the HTTP inspection policy.

Federico.

Panos Kampanakis · ‎05-13-2010

http://supportforums.cisco.com/docs/DOC-1268 explains how you can do what you want.

Lets assume that we want to allow only cisco.com. Here is the config snippet:

-------

regex allowex2 "cisco\.com"

class-map type inspect http match-all allow-url-class
match not request header host regex allowex2

policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http allow-url-policy

service-policy global_policy global

-------

I hope it helps.

PK

ankurs2008 · ‎05-13-2010

Hi pkampana

thanks for the reply .I donot want to add new IP Address given by service provider in the object group everytime , hence as allowing URL cant be done in access-list , i have expanded the IP Address range as /24 so that i donot have to add it everytime in Outbound ACL

Please let me know if the below would be correct.

www.training.com = 198.23.41.1 , 198.23.41.7 , 198.23.41.11 , 198.23.41.16 , 192.23.41.23

access-list INSIDE permit 192.168.10.0 255.255.255.0 198.23.41.0 255.255.255.0

access-group INSIDE in interface inside

=====================================================================

access-list TRAINING permit 192.168.10.0 255.255.255.0 198.23.41.0 255.255.255.0

class-map URLCLASS

match access-list TRAINING

===================================================================

regex ALLOW "training\.com"

class-map type inspect http match-all ALLOWURL
match not request header host regex ALLOW

policy-map type inspect http URLPOLICY
parameters
class ALLOWURL
drop-connection log

policy-map MYPOLICY

class URLCLASS

inspect http URLPOLICY

service-policy MYPOLICY interface inside

=======================================================================

Panos Kampanakis · ‎05-14-2010

You do not need to play with ip addresses of the url. Using just http inspection will do it

The config

-------------------

regex ALLOW "training\.com"

class-map type inspect http match-all ALLOWURL

match not request header host regex ALLOW

policy-map type inspect http URLPOLICY

parameters

class ALLOWURL

drop-connection log

policy-map MYPOLICY

class URLCLASS

inspect http URLPOLICY

service-policy MYPOLICY interface inside

-------------------

will allow training.com. BE CAREFUL because it will block all other urls.

That is what you want to do?

PK