cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Adding Exception Subnets to Umbrella Connector for ASA Firewall

419
Views
10
Helpful
0
Comments

You would like to use the ASA Firewall Umbrella Connector to enforce DNS policy with Umbrella.  However you would also like to exclude certain IP addresses or subnets from using this policy.  I recently had the need to do this, had a bit of trouble with the configuration, and could not find a good example.  So I will document this for the community here.

 

Although the ASA Umbrella Connector will report the client IP addresses and those shows in the Umbrella dashboard activity report, you cannot make policy decisions on the individual client address (as of this date).  You can only enforce policy on the network device. This means all traffic through the ASA Connector can match only one Umbrella policy.  Therefore to exclude any subnets or individual IP addresses you must do this on the ASA so that client DNS traffic is not identified by the ASA Connector.

 

This opens up other Umbrella policy matching possibilities as well.  Because this traffic is excluded from the ASA Connector, you could match it using a WLC Connector or match it using the ASA public IP Address.  Note that if you try to use the WLC Connector behind the ASA, the ASA Connector will override it so you must use the below method to exclude those wireless subnets from the ASA Connector.

 

To filter by subnet or IP address, you must create a custom policy class and match ACL in the ASA, disable the default global DNS inspection, and place that inspection in the new policy.  I found that if you do not filter matches by protocol in the match ACL, this will completely break the inspection engine and no DNS traffic will pass.

Solution

Here is an example of my working configuration, where I deny filtering from source subnet 192.168.32.0/24 and then permit all other DNS traffic on port 53 to the DNS inspection engine.

 

Cisco Adaptive Security Appliance Software Version 9.14(1)

 

access-list EXCLUDE-UMBRELLA-NETS remark Bypass List for Umbrella URL Filtering

access-list EXCLUDE-UMBRELLA-NETS extended deny ip 192.168.32.0 255.255.255.0 any

access-list EXCLUDE-UMBRELLA-NETS extended permit udp any any eq domain

 

class-map MATCH-UMBRELLA-DNS

description Match list for Umbrella DNS Filtering

match access-list EXCLUDE-UMBRELLA-NETS

!

umbrella-global

token C1C0EE42E3F616734BE9DDB942ABC645231EF08C

!

policy-map type inspect dns UMBRELLA-DNS

parameters

  message-length maximum client auto

  message-length maximum 512

  umbrella tag ASA5506 Policy  device-id 010acb0eb2811600

policy-map global_policy

class MATCH-UMBRELLA-DNS

  inspect dns UMBRELLA-DNS

 class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect snmp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

 !

service-policy global_policy global