FQDN ACL Issues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2020 02:02 PM
Hi,
I've a client that wants to restrict a FQDN address to only a few specific IP addresses, however a different FQDN (which sits on the exact same IP address), should be open to all.
I have my ASA (5508-x on 9.6(4)34) setup with a dns name-server and it can ping the hostnames as you'd expect.
the ACL's are set as follows in a test enviroment, I've sanitised the config:
access-list Test_Enviroment_access_in_1 line 1 extended deny tcp host 10.44.126.218 fqdn xxxxxxx.uk (resolved) eq https 0xab613664
access-list Test_Enviroment_access_in_1 line 1 extended deny tcp host 10.44.126.218 fqdn yyyyyyy.uk (resolved) eq https 0x3b6c2798
access-list Test_Enviroment_access_in_1 line 1 extended deny tcp host 10.44.126.218 fqdn zzzzzzz.uk (resolved) eq https 0x668d1461
access-list Test_Enviroment_access_in_1 line 2 extended permit tcp host 10.44.126.218 fqdn bbbbbb.nhs.uk (resolved) eq https 0x2dffa068
However when set like this my test PC is unable to access the site on the permitted statement, If I change the other deny statements to allow my traffic gets though.
Why isn't this working, I'm sure I've done something wrong but can't put a finger on what it is!!
Cheers
Richard
- Labels:
-
Web Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2020 08:35 PM
Caveats: Multiple FQDN`s
As you will be aware multiple FQDN`s can reside on a single IP. Meaning that, though you may permit abc.com as xyz.com also resolves to the same IP. You are not only permitting access to abc.com but also xyz.com.
here is the reference guide :
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2020 11:29 PM
Ahh bugger, I guess for this sort of thing - specific subdomain blocking I'd need to utilise FirePower services.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2020 02:38 AM
sure, maybe good to have some regex-based access list
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2020 12:41 AM
Just imagine that this feature does nothing more than translating a name to an IP and using this IP in the L3/L4 ACL. If you need more control you have to use a system that can look at the upper layers. Firepower is one option, using a proxy server is another.
