Solved: thanks a lot marius

r.kukreja · ‎09-13-2014

hi,

we have requirement to permit some url like on port no. 50000

elink-a26.bankofamerica.com

b2b.dolgn.net

12.155.249.X

gem.carrey.com

my asa version 8.6

how can i permit these URL in asa port no 50000. please help

regards

rajat

Marius Gunnerud · ‎09-15-2014

I have provided a solution for access-list on the outside interface using the URL in my previous post. I have limited the configuration to only one FQDN to keep the post short. you could group them all together in a object-group but then you would need to create a seperate object for each FQDN and then call that object into the object-group:

object network SITE1
fqdn b2b.dolgn.net
object-group network GROUP
network-object object SITE1
network-object host 12.155.249.X

access-list ACL1 permit tcp object-group GROUP any eq 50000

access-group ACL1 in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎09-13-2014

You do not specify if these URLs are your own or you want to allow access to these for your users but then block all other traffic?

Please explain in more detail what you are trying to accomplish.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

r.kukreja · ‎09-13-2014

hi,

these URLs are not owned by us.

we want to allow access to these for our users.

please help

regards

rajat

Marius Gunnerud · ‎09-13-2014

So, you are already restricting access to the internet for your users? Or is this a new ASA being setup? In many setups local users will have full access out to the internet so this would not be an issue.

But you could use FQDN in access lists if you are restricting access already...just be sure that the ASA is configured with DNS server IPs so that it can do DNS lookups.

If the above is the case then you could do something like the following:

name-server 192.168.1.1 192.168.1.2 <---configure DNS servers on the ASA

object network SITE1
fqdn b2b.dolgn.net

access-list ACL1 permit tcp any object SITE1 eq 50000

access-group ACL1 in interface inside

Keep in mind that all ACLs have an implicit deny any any at the end of it so if you require your users to access other networks/IPs through the ASA then this must also be permitted in the ACL.

If this is not what you are looking for, please provide a detailed description of your network and exactly what you are trying to acomplish. The more details the better.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

r.kukreja · ‎09-15-2014

Hi,

actually below are the URL that we are allowing on outside interface

we are putting ISP dns that has to resolve below url and we have to apply access-list on outside interface. please if possible provide solution according to requirement.

elink-a26.bankofamerica.com

b2b.dolgn.net

12.155.249.X

gem.carrey.com

Marius Gunnerud · ‎09-15-2014

I have provided a solution for access-list on the outside interface using the URL in my previous post. I have limited the configuration to only one FQDN to keep the post short. you could group them all together in a object-group but then you would need to create a seperate object for each FQDN and then call that object into the object-group:

object network SITE1
fqdn b2b.dolgn.net
object-group network GROUP
network-object object SITE1
network-object host 12.155.249.X

access-list ACL1 permit tcp object-group GROUP any eq 50000

access-group ACL1 in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

r.kukreja · ‎09-16-2014

thanks a lot marius

Marius Gunnerud · ‎09-16-2014

Any time :-)

Thank you for the rating

--
Please remember to select a correct answer and rate helpful posts

Christopher Scopa · ‎07-09-2018

This information is very helpful. If I could ask one quick question regarding using internal DNS though... when I add the name-server x.x.x.x, is there any configuration that I need to actually complete on my DNS server for the fqdn that I am allowing access to?

Normally, our ACLs for outbound access are configured by IP addresses but, I have been asked to add an entry for a URL instead. Here are the lines that I intend on adding to my ASA:

name-server Y.Y.Y.Y (my internal DNS server address)

object network obj-site1.url.org
fqdn site1.url.org

object network obj-site2.url.org
fqdn site2.url.org

object-group network URL.ORG
network-object object obj-site1.url.org
network-object object obj-site2.url.org

access-list Outbound line 134 extended permit tcp host X.X.X.X object-group URL.ORG eq 22

not sure if I am missing anything. Or if there are any changes I need to make on my DNS server.

Any assistance would be greatly appreciated.

Chris

URL permit through firewall