Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3877
Views
0
Helpful
5
Replies

Cisco ASA - URL Access

Richard Tapley
Level 1
Level 1

‎01-05-2015 12:57 PM

Hi,

 

Our firewalls block access to everything unless specified.

 

I need to be able to allow a specific internal device IP access to a particular website.

 

Ideally i'd like to do it with no extra kit just the ASA, I have read from IOS 8.4 upwards you can add FQDN's to access rules, in a quick test this didn't block the access to the website so wondering if I have missed something...

 

Also read about regex's but this can only do HTTP sites not HTTPS.

 

Is there a particular way to do this?

 

Will the ASA 5512-X enable the ability to allow and block access to different websites?

 

Many thanks for any help that anyone can give.

Labels:
0 Helpful
5 Replies 5

Jernej Vodopivec
Level 4
Level 4

‎01-06-2015 09:53 AM

Hi, if you really just want to use ASA or let's say - without any additional appliance - one way would be (let's say web site address you're trying to permit/forbid access is www.example.com)

- create DNS zone "example.com" in your internal DNS server and create A record "www"  and point it to 127.0.0.1

- edit hosts file on one specific device and put correct values for web server you need to reach

As I said - this solution is very basic, with some limitations, it doesn't scale well etc.  But it (partially) solves the problem "with no extra kit".

 

If you want to achieve this in more professional way you'll need a device that does URL filtering and HTTPS inspection:

- Cisco ASA with Sourcefire: it can block access to specific web pages based on source IP or AD user/group membership but it can't do HTTPS inspection currently (it would be able to do it very soon)

- Cisco Web Security Appliance (former Web IronPort) - it can also be integrated with AD

- ASA with CX can do it but I won't recommend you this solution because it's not under active development anymore AFAIK

0 Helpful

Richard Tapley
Level 1
Level 1
In response to Jernej Vodopivec

‎01-06-2015 01:16 PM

hi Jernej,

 

Many thanks for the reply.

Not sure my boss will go for the approach of creating a DNS zone so will have to investigate one of the other paths you suggest.

 

If I may ask a few more questions.......

I thought ASA with CX was a new thing, have they stopped it already?

 

I have installed IOS 9.1 and created an access rule with a fqdn of www.ford.co.uk but it doesn't clock it, is there a specific reason that I am missing for this?

When you mention a web security applicance is that like Websense or Secure Computing Smart Filter?

Isn't sourcefire the IDS/IPS company that Cisco have aquired?

 

What I don't understand is that URLs are being used more and more for access but yet it doesn't sound like it is possible to allow / deny them through the firewall without a lot of money spent on additional equipment, have I misunderstood something here?

 

Many thanks again for your time. 

 

0 Helpful

Jernej Vodopivec
Level 4
Level 4
In response to Richard Tapley

‎01-06-2015 02:33 PM

Hi Richard,

I hope these information will help you:

1. Regarding CX: CX was "the new thing" until Cisco acquired Sourcefire and launch Cisco ASA Next Generation Firewall - Cisco ASA with FirePOWER services about a year later.

You can't even find link to CX module on products page on www.cisco.com anymore.

2. ASA can do some limited URL filtering based on service policies.

Here is an example configuration you can test in your environment:

- change "192.168.1.3" to IP address permitted to communicate with web server

- change "domain.tld" do real web server fqdn

- change interface "inside" to your interface name

  access-list inside_mpc line 1 extended permit ip host 192.168.1.3 any4
      regex domain-tld "domain.tld"
      class-map type inspect http match-all blocked-domains
        match request uri regex domain-tld
      policy-map type inspect http allow-domains
        parameters
          protocol-violation action log
        class blocked-domains
          drop-connection log
      class-map inside-class
        match access-list inside_mpc
      policy-map inside-policy
        class inside-class
          inspect http allow-domains
      service-policy inside-policy interface inside

And now deny for all other network hosts in your network:

- change "192.168.1.0" and "255.255.255.0" to IP address of the network and the netmask denied to communicate with web server

- change interface "inside" to your interface name

      access-list inside_mpc_1 line 1 extended permit ip 192.168.1.0 255.255.255.0 any4
      policy-map type inspect http block-domain-network
        parameters
          protocol-violation action drop-connection log
        class blocked-domains
          drop-connection log
      class-map inside-class1
        match access-list inside_mpc_1
      policy-map inside-policy
        class inside-class1
          inspect http block-domain-network

You can add additional URL addresses by adding additinal regexes to class-map "blocked-domains".

I hope I didn't make any grammatical error :)

3. Regarding "When you mention a web security applicance is that like Websense or Secure Computing Smart Filter?"

By web security appliance I've ment Cisco WSA - former IronPort Web Security. Cisco acquired IronPort some years ago and now these products are called web security appliance (web proxy filtering) and email security appliance (antispam solution). For bigger environments there are also management appliances available.

IronPort Web Security aka. Cisco Web Security Appliance offers besides URL filtering and HTTPS inspection antimalware protection, IP reputation filtering and many many more.

Really great product worth every cent of the investment. It can be run on dedicated appliance or as a virtual appliance in your VMware environment. You can easily get the demo and evaluation license.


4. Regarding Sourcefire IPS/IDS: yes, Cisco acquired this company in 2013 and now integrated solution into Cisco ASA as Firewall Next Gen.: it offers application control, url filtering, antimalware and IPS protection.

You can still purchase and use traditional standalone IPS/IDS sensors/appliances, AMP etc. but this is not the case in your situation.

 

0 Helpful

Richard Tapley
Level 1
Level 1
In response to Jernej Vodopivec

‎01-08-2015 08:31 AM

Hi Jernej,

Thanks again for your reply.

 

I will give the commands you have suggested a go in option 2 and have my fingers crossed.

 

I will also have a look at Cisco Web Security Appliance and see what they offer as that might be another solution.

 

The websense option within the ASA's is that worth a look do you think aswell as it sounds like that will do a similar thing?

 

Many thanks

 

 

 

0 Helpful

Jernej Vodopivec
Level 4
Level 4
In response to Richard Tapley

‎01-08-2015 09:04 AM

Hi Richard,

websense is not running whitin the ASA. ASA is forwarding traffic to websense's url filtering server. So you still need to purchase some web proxy solution like WSA is.

I'd recommend you to talk with your favorite Cisco partner specialized in content security and let them bring you demo WSA appliance.

They can get you demo virtual WSA or even HW appliance (there is currently running try&buy program for WSA & ESA).

Let me know if you'll have any problems implementing service policy rules to ASA.

0 Helpful
Customers Also Viewed These Support Documents
Top