Re: FQDN-object groups...help needed - Page 2

itsmemario · ‎06-05-2024

Hi guys,

as i very recently figured out that a router (ISR4k, IOS-XE 17.09) finally supports FQDN-based objects it raised my hope i could use it to adjust the network, for helping us with our microsoft pain. Since you cannot be recent enough about their "to be unblocked" IP-lists, which are never complete.

The given challenge is as follows:
We have on lots of locations well defined access-lists, which we cannot just throw overboard because of ideas from the garage boys in Redmond.

My idea was that i could use the new feature in a way that it checks via ZBFW some FQDNs given by Microsoft, resolvable by DNS from the router itself, and after enabling communication to these, proceeds with working through the old access-lists with all the other restrictions.
But i seem not to understand how to use it properly.

Let´s do an example, so maybe you get better what i mean...as you can see, the hosts in this example shall not talk directly to outside, just ONE host, the proxy. In my example the 192.168.1.222.
My idea was to let ZBFW do the FQDN-work, making Microsoft-users happy, and still preserve the partly HUGE ACLs.


class-map type inspect match-any ALLOWED-FROM-OUTSIDE
match protocol tcp
match protocol udp
match protocol ntp
class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol tcp
match protocol udp
match protocol ntp
!
object-group fqdn MICROSOFT-FQDNS
pattern .*\.microsoft\.com 
pattern microsoft\.de
!
object-group service MICROSOFT-SERVICES
icmp
tcp eq 80
!
ip access-list extended ALLOW-MICROSOFT
permit object-group MICROSOFT-SERVICES any fqdn-group MICROSOFT-FQDNS
deny ip any any
!
class-map type inspect match-any ALLOW-MICROSOFT-CLASS
match access-group name ALLOW-MICROSOFT
!
policy-map type inspect WAN2INSIDE
class type inspect ALLOWED-FROM-OUTSIDE
inspect
class class-default 
!
policy-map type inspect FIREWALL4MICROSOFT
class type inspect ALLOW-MICROSOFT-CLASS
inspect
class type inspect ALLOWED-PROTOCOLS
inspect class
class-default
drop 
!
ip access-list extended WAN-IN
.
.
.
!
ip access-list extended LAN-IN
permit ip host 192.168.1.222 any
deny 192.168.1.0 0.0.0.255 any
!
int gi1
ip access-group WAN-IN
zone-member security OUTSIDE
ip nat outside
!
int gi2
ip access-group LAN-IN
zone-member security INSIDE
ip address 192.168.1.1 255.255.255.0
ip nat inside

In my understanding ZBFW checks before the ACL is processed (?), and therefore it should be possible somehow to use the new FQDN-object-group to enable talking to the vast bunch of everchanging microsoft addresses, using the FQDNs.
I simply cannot make it work, i also tried to use the object-group in a normal ACL-line, i could put it in, but it had no effect and also no matches.

ip access-list extended LAN-IN
5 permit object-group MICROSOFT-SERVICES any fqdn-group MICROSOFT-FQDNS

Can someone give me a kick in the right direction, about what i am doing wrong here?

Many thanks in advance,

Andreas

itsmemario · ‎06-07-2024

and guys, don´t wonder if I replied later here under another account...this one was just used because I couldn´t use my old one when I set this up in a hurry...the merge should happen somewhen soon I hope. mailadress changed...

THANKS FOR TRYING TO HELP ME IN MY STRUGGLE, CHEERZ!

Andreas Wittemann · ‎06-07-2024

there i am, old profile works again. still didn’t have time to continue on it

Andreas Wittemann · ‎06-18-2024

hmmmm...seems i now hit the wall finally with the ISR4k, please correct me if i am wrong:

- URLfiltering which was possible on earlier implementations of the ZBFW...gone, the command is not there anymore (https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html#toc-hId--32934812)

- Regex-Patterns also not possible anymore it seems, without using external servers (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16-10/sec-data-utd-xe-16-11-book/web-filter.html)

- FQDN-ACLs/Objectgroups for whatever reason configurable but only functioning with wireless (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-16-10/sec-data-acl-xe-16-10-book/sec-cfg-fqdn-acl.html)

Due to the very inconvenient habit of Cisco routers to immediately translate a hostname in a (by now and the next few minutes used) IP address for that host when putting it in an access-list...and brilliant microsoft not even GIVING only hostnames, also sometimes some *.blabla.microsoft.xyz addresses...it gets very uncomfortable now.

I cannot even use EEM to translate periodically 100 hostnames in a "object-group network", which works awesome for other problems like this...because i need a hostname.

Does someone have any idea how to proceed here?

MHM Cisco World · ‎06-18-2024

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/221876-configure-zbfw-using-fqdn-acl-pattern-ma.html

you need to allow Host traffic to 8.8.8.8 or any external DNS server
the router then Snooping the DNS and detect the FQDN the host ask and accept or deny the traffic

MHM

Andreas Wittemann · ‎06-18-2024

hmmm again...so what u r basically saying is: i definitely need external DNS? Which would explain that in the lab it didn´t work at all, with the router being the DNS (ip dns server -> 8.8.8.8). Would be the next change in infrastructure which i already know someone will not really appreciate

Anyways, i`ll have a try tmrw and see if this works, because it would make sense.