[c-nsp] Filtering traffic to destinations based off of DNSaddresses on an ASA?
karpenko at cisco.com
Thu Feb 9 13:43:22 EST 2012
Quick and simple configuration using the DNS engine and MPF on the
However, I also prefer and recommend Matthew Huff's suggestion about
configuring your recursive/caching resolver to be authoritative for
the domain-label you're looking to filter and setting the records to
regex domain1 "[Yy][Aa][Hh][Oo][Oo]\.[Cc][Oo][Mm]"
regex domain2 "[Gg][Oo][Oo][Gg][Ll][Ee]\.[Cc][Oo][Mm]"
class-map type regex match-any dns_filter_class
match regex domain1
match regex domain2
class-map type inspect dns dns_inspect_class
match not header-flag QR
match domain-name regex class dns_filter_class
policy-map type inspect dns dns_inspect_policy
inspect dns dns_inspect_policy
service-policy egress_policy interface inside
on 2012.02.09-10:49:23 -0700, Matthew Park <Matthew.Park at exelisvis.com> wrote:
> Date: Thu, 9 Feb 2012 10:49:23 -0700
> From: Matthew Park <Matthew.Park at exelisvis.com>
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Filtering traffic to destinations based off of
> DNSaddresses on an ASA?
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Errors-To: cisco-nsp-bounces at puck.nether.net
> Sender: cisco-nsp-bounces at puck.nether.net
> Return-Path: cisco-nsp-bounces at puck.nether.net
> Content-Length: 4736
> Will this just block URLs or can it block all traffic to a domain?
> The latter is what I'm looking for.
> Say block ALL traffic (make a domain "Dead to me") to google.com
> (no ping, nothing to mail.google.com, maps.google.com.. etc.)
> Thanks for the quick reply!
> --Matthew Park
>> -----Original Message-----
>> From: Steve McCrory [mailto:smccrory at gcicom.net]
>> Sent: Thursday, February 09, 2012 10:37 AM
>> To: Matthew Park; cisco-nsp at puck.nether.net
>> Subject: RE: [c-nsp] Filtering traffic to destinations based off of
>> DNSaddresses on an ASA?
>> There is a URL filtering feature on the ASA which should be
>> suffice for your requirements and does not require additional
>> licenses. It is, however, limited to 100 URLs max.
>> A good guide can be found here:
>> Below is a copy of the configuration we had to block access to
>> facebook and youtube. I've listed the commands backwards from
>> applying the service-policy to the interface. Hopefully you will
>> be able to follow it but feel free to ask any questions you may
>> service-policy inside-policy interface inside
>> policy-map inside-policy
>> class httptraffic
>> inspect http http_inspection_policy
>> class-map httptraffic
>> match access-list inside_URL-block
>> access-list inside_URL-block extended permit tcp any any eq www
>> access-list inside_URL-block extended permit tcp any any eq 8080
>> policy-map type inspect http http_inspection_policy
>> class BlockDomainsClass
>> reset log
>> match request method connect
>> drop-connection log
>> class-map type inspect http match-all BlockDomainsClass
>> match request header host regex class DomainBlockList
>> class-map type regex match-any DomainBlockList
>> match regex domainlist1
>> match regex domainlist2
>> regex domainlist1 "\.facebook\.com"
>> regex domainlist2 "\.youtube\.com"
>> Couple of extra things you may be interested to know:
>> - You can add additional URLs to the filter by defining them with
>> a regex and then referencing that regex in the class-map
>> - If you wanted to bypass this filter for a particular user, you
>> can add a deny statement for their IP addresses to the
>> beginning of the inside_URL-block ACL. This obviously requires
>> that they have a static IP address.
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Park
>>> Sent: 09 February 2012 16:29
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Filtering traffic to destinations based off of
>>> DNSaddresses on an ASA?
>>> Hello all,
>>> Does anyone know of a good way to make a filter (access-list or
>>> whatever) on a Cisco ASA 5510 using a DNS address as the
>>> destination rather than a set of IP addresses?
>>> For example, block any internal hosts from browsing to
>>> www.microsoft.com even though they have several webservers
>>> mapped to that DNS address, essentially "blacklisting"
>>> www.microsoft.com from the company.
>>> I found Cisco's "Botnet Filter" that looks like it might work,
>>> but before I buy a license for it, I was curious as to anyone
>>> else's experiences with this filter or another method for
>>> accomplishing this?
>>> Matthew Park
>>> Senior Systems Administrator
>>> Exelis Visual Information Solutions
>>> Matthew.Park at exelisvis.com
> [ --------------- End of Included Message --------------- ]
More information about the cisco-nsp