You would like to use the ASA Firewall Umbrella Connector to enforce DNS policy with Umbrella. However you would also like to exclude certain IP addresses or subnets from using this policy. I recently had the need to do this, had a bit of trouble with the configuration, and could not find a good example. So I will document this for the community here.
Although the ASA Umbrella Connector will report the client IP addresses and those shows in the Umbrella dashboard activity report, you cannot make policy decisions on the individual client address (as of this date). You can only enforce policy on the network device. This means all traffic through the ASA Connector can match only one Umbrella policy. Therefore to exclude any subnets or individual IP addresses you must do this on the ASA so that client DNS traffic is not identified by the ASA Connector.
This opens up other Umbrella policy matching possibilities as well. Because this traffic is excluded from the ASA Connector, you could match it using a WLC Connector or match it using the ASA public IP Address. Note that if you try to use the WLC Connector behind the ASA, the ASA Connector will override it so you must use the below method to exclude those wireless subnets from the ASA Connector.
To filter by subnet or IP address, you must create a custom policy class and match ACL in the ASA, disable the default global DNS inspection, and place that inspection in the new policy. I found that if you do not filter matches by protocol in the match ACL, this will completely break the inspection engine and no DNS traffic will pass.
Here is an example of my working configuration, where I deny filtering from source subnet 192.168.32.0/24 and then permit all other DNS traffic on port 53 to the DNS inspection engine.
Cisco Adaptive Security Appliance Software Version 9.14(1)
access-list EXCLUDE-UMBRELLA-NETS remark Bypass List for Umbrella URL Filtering
access-list EXCLUDE-UMBRELLA-NETS extended deny ip 192.168.32.0 255.255.255.0 any
access-list EXCLUDE-UMBRELLA-NETS extended permit udp any any eq domain
description Match list for Umbrella DNS Filtering
match access-list EXCLUDE-UMBRELLA-NETS
policy-map type inspect dns UMBRELLA-DNS
message-length maximum client auto
message-length maximum 512
umbrella tag ASA5506 Policy device-id 010acb0eb2811600
Hi, anyone here experience to access their ASA firewall (ASDM/SSH) from the inside interface but the user is coming from outside interface of the ASA? I see some use cases using management-access but it uses VPN tunnel, can it be done without using a tunn...
Hello all. We have a customer who upgraded the FMC upgraded from 6.6.0 to 6.6.1 successfully.Ithen to upgrade the FTDs from 6.4.0 to 6.6.0 but hit an error which states Update to install failed. we are both new to FTD, whereabouts can we see more detailed...
Hello, After associating a FIrepower (2100 series) with a FMC (version 22.214.171.124), dashboards are showing no data. We have verified that IPS events are being generated and sent to syslog but the FMC shows no record of any events being generated. W...