11-15-2013 09:05 AM - edited 03-11-2019 08:05 PM
Hi all, I have a 5510 in route mode, when I add a regex to block 2 sites, it somehow blocks all sites, when I remove it it's back to normal, here's the regex code along with my other nat setting that gives inside users outside access. Thanks in advanced.
(regex entry to block sites)
regex domain1 "\.yahoo\.com"
regex domain2 "\.google\.com"
!
class-map type regex match-any domain-list
match regex domain1
match regex domain2
!
class-map web
match port tcp eq www
!
policy-map type inspect http URL
parameters
match not request header host regex class domain-list
drop-connection
!
policy-map global_policy
class web
inspect http URL
(nat outside access)
object network obj-LAN
subnet 0.0.0.0 0.0.0.0
object network obj-LAN
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 12.54.x.x 1
Solved! Go to Solution.
11-20-2013 11:05 AM
Your configuration is setting www, https and smtp as the protocol...not the ports. Change it to the following
access-list ACL_OUT_IN extended permit tcp host 208.x.x.12 any object-group server-services
Also remember that most PCs will send traffic using a random high port as the source port, so you almost always want to match the ports to the destination.
is 208.x.x.12 the actual IP of the server or the NATed IP? Also keep in mind that if you want your users to be able to access https, www and smtp form the internet, these ports need to be opened on the outside interface.
11-20-2013 12:50 PM
The server is nat'ed to an outside ip, I have it set that way already for the access-list syntax, it didn't work. Test email didnt go through. Seems to only like single line entries for each host and service.
11-20-2013 01:23 PM
Ok, please explaine what you are trying to do more. Is the 208.x.x.12 server inside your network or is it a server on the internet that you want to open for traffic coming in?
Have you tried the configuration that I posted earlier?
object-group service SERVICES tcp
port-object eq http
port-object eq https
port-object smtp
access-list MYACL extended permit tcp host 10.10.10.1 any object-group SERVICES
--
Please rate all helpful posts
11-20-2013 01:45 PM
Yes, 208.x.x.12 is inside, it's an Exchange server that also has IIS running for OWA, so I need to have smtp, http, and https access incoming, I also have a terminal server, and others but that will have to wait.
I'm just trying to get the basics running like web and email and blocking sites, It worked by using the command below but seems to have issues with grouping, the TAC engineer I was talking to said to use single entries but he wouldn't say why grouping won't work.
access-list ACL_OUT_IN line 1 permit tcp any host 208.x.x.12 eq www
11-20-2013 11:40 PM
I am not sure why the TAC engineer said to use single entries. The only restriction is that you can not use the same static NATed port going from a single external IP to multiple internal IPs. you should be able to use object group to define the ports and assign it to a single ACL statement. I have done this several times.
Also from the post above, it looks like you are using ASA 9.1. In this case your ACL configuration is a little wrong. Prior to 8.3 you would use the public (NATed) IP when configuring and ACL on the outside interface. As of 8.3 and higher you will need to use the real IP (private IP) when configuring ACLs. This is due to the order in which actions are taken on the packet entering the ASA. 8.3 and higher, NAT happens before the ACL check when traffic enters the ASA.
Please add the following to your configuration just remember to add your server's actual IP, and if it is not already in the configuration, assign the ACL to the external interface where the traffic will ingress (often this is called the outside interface):
object-group service SERVICES tcp
port-object eq http
port-object eq https
port-object smtp
access-list MYACL extended permit tcp any host
access-group MYACL in interface outside
--
Please rate all helpful posts
11-21-2013 09:28 AM
Marius, I do have the internal ip used in that access-list, but I caught my mistake of not putting any for the source, I had it switched below
access-list ACL_OUT extended permit tcp host 208.x.x.12(this is an internal ip) any object-group SERVER-PORTS = wrong syntax
access-list ACL_OUT extended permit tcp any host 208.x.x.12 object-group SERVER-PORTS = correct syntax
Message was edited by: CARLO DOMINGUEZ
11-20-2013 01:55 PM
You know what I think I just need reading glasses, I missed the dot before ebay, I only had a dot on .com, let me try again this time with "\.ebay\.com\"
11-21-2013 10:49 AM
Ok, Let us know how it goes with both the ACL and the URL filter
--
Please rate all helpful posts
11-22-2013 05:18 PM
Hi guys, looks like I'm getting clear now on the access lists and groups, but I have a question on pinging, we're able to ping outside ip or sites with our current firewall, but even after I enabled inspect icmp on the asa, I can only ping from the asa within ssh, but not from any pc inside.
11-23-2013 07:16 AM
Do you have an ACL configured on the inside interface? If yes, have you allowed imp in this ACL?
--
Please rate all helpful posts
11-23-2013 11:14 AM
Marius,
I see, I thought the inspect icmp command under global policy does that, ok I'll set it to groups that need it. Another question that I can't seem to figure out, we're running OWA on our Exchange server, inside and outside clients can't get to it still.
I have https and http set on the nat'ed email servers, though on the juniper it has a setting for IIS that you can select to add on the policy, this is besides http and https. I don't see a setting for those in the ASA, Thanks again.
11-23-2013 11:43 AM
The thing is that if there is an ACL configured on the interface it is still checked even if there is an inspect configured. If you do not have any ACL configured on the interface then the inspect policy will be the thing that permits or denies traffic from an interface that has a higher security level to a lower security level.
As for the email servers, could you post your NAT statements for the email server as well as the ACL for the inside and outside interfaces. To get OWA working you need to NAT both https and smtp. Also make sure that https and smtp are allowed in the access list from inside to outside, as well as from outside to inside.
--
Please rate all helpful posts
11-23-2013 01:06 PM
ok gotcha, I don't have an outgoing access-list for smtp and http, I'll have to add those, I'll get back to this on Mon, thanks Marius.
carlo
11-26-2013 11:58 AM
Marius,
Here's my current config for access-list and object-groups, I tested it just now seems like I have some issues to iron out, so far the only things that worked are access incoming to the OWA site, websites, and email, but somehow port 3389 for remote desktop didn't, my remote office said they got disconnected, I told them to try again, but it won't re-converge, or reconnect. Also from inside to my OWA server didn't work either, Any ideas, thanks in advanced.
crxasa# sh run access-li
access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER
access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389
access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP
access-list ACL_OUT extended permit udp any object-group MAILSERVERS object-group UDP
access-list ACL_IN extended permit tcp object-group MAILSERVERS object-group TCP any
access-list ACL_IN extended permit udp object-group MAILSERVERS object-group UDP any
crxasa# sh run access-gro
access-group ACL_OUT in interface outside
access-group ACL_IN out interface inside
crxasa# sh run obj
object network obj-LAN
subnet 0.0.0.0 0.0.0.0
object network cirexxintldc
host 208.x.x.12
object network sharks
host 208.x.x.5
object network cirexxintl
host 208.x.x.85
object network crxmail
host 208.x.x.3
object network svr-sales
host 208.x.x.94
crxasa# sh run object-gr
object-group service TCP tcp
description domain,http,smtp services
port-object eq www
port-object eq https
port-object eq domain
port-object eq smtp
object-group service WEBSERVER tcp
description ftp,http,https services
port-object eq www
port-object eq https
port-object eq ftp
object-group network MAILSERVERS
network-object host 208.x.x.12
network-object host 208.x.x.3
object-group network DNS-SERVERS
network-object host 208.x.x.12
network-object host 208.x.x.5
object-group service UDP udp
port-object eq domain
port-object eq www
11-23-2013 01:01 PM
Here you go, I created a seperate tcp and ucp object group and added those to my email servers, group called mailservers. On the icmp thing, I didn't have an acl for any inside clients but servers only, so shouldn't the global rule for inspect icmp work then?
crxasa# sh run nat
!
object network obj-LAN
nat (inside,outside) dynamic interface
object network cirexxintldc
nat (inside,outside) static 12.x.x.35
object network sharks
nat (inside,outside) static 12.x.x.37
object network cirexxintl
nat (inside,outside) static 12.x.x.36
object network crxmail
nat (inside,outside) static 12.x.x.43
object network svr-sales
nat (inside,outside) static 12.x.x.49
crxasa# sh run access-li
access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER
access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389
access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP
access-list ACL_OUT extended permit udp any object-group MAILSERVERS object-group UDP
access-list ACL_IN extended permit udp object-group DNS-SERVERS any eq domain
access-list ACL_IN extended permit tcp object-group DNS-SERVERS any eq domain
crxasa# sh run access-gr
access-group ACL_OUT in interface outside
access-group ACL_IN out interface inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide