[c-nsp] Filtering traffic to destinations based off of DNSaddresses on an ASA?

Matthew Huff mhuff at ox.com
Thu Feb 9 13:23:41 EST 2012


Go into your recursive DNS server. Add a blank authoritative forward zone for google.com. Boom, it's dead to you.

----
Matthew Huff             | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC       | Phone: 914-460-4039
aim: matthewbhuff        | Fax:   914-460-4139

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Matthew Park
> Sent: Thursday, February 09, 2012 12:49 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Filtering traffic to destinations based off of
> DNSaddresses on an ASA?
> 
> Steve,
> Will this just block URLs or can it block all traffic to a domain?  The
> latter is what I'm looking for.
> Say block ALL traffic (make a domain "Dead to me") to google.com (no
> ping, nothing to mail.google.com, maps.google.com.. etc.)
> 
> Thanks for the quick reply!
> 
> --Matthew Park
> 
> -----Original Message-----
> From: Steve McCrory [mailto:smccrory at gcicom.net]
> Sent: Thursday, February 09, 2012 10:37 AM
> To: Matthew Park; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Filtering traffic to destinations based off of
> DNSaddresses on an ASA?
> 
> Matthew,
> 
> There is a URL filtering feature on the ASA which should be suffice for
> your requirements and does not require additional licenses. It is,
> however, limited to 100 URLs max.
> 
> A good guide can be found here:
> 
> https://supportforums.cisco.com/docs/DOC-1268
> 
> Below is a copy of the configuration we had to block access to facebook
> and youtube. I've listed the commands backwards from applying the
> service-policy to the interface. Hopefully you will be able to follow
> it but feel free to ask any questions you may have:
> 
> service-policy inside-policy interface inside !
> policy-map inside-policy
>  class httptraffic
>   inspect http http_inspection_policy
> !
> class-map httptraffic
>  match access-list inside_URL-block
> !
> access-list inside_URL-block extended permit tcp any any eq www access-
> list inside_URL-block extended permit tcp any any eq 8080 !
> policy-map type inspect http http_inspection_policy  parameters  class
> BlockDomainsClass
>   reset log
>  match request method connect
>   drop-connection log
> !
> class-map type inspect http match-all BlockDomainsClass  match request
> header host regex class DomainBlockList !
> class-map type regex match-any DomainBlockList  match regex domainlist1
> match regex domainlist2 !
> regex domainlist1 "\.facebook\.com"
> regex domainlist2 "\.youtube\.com"
> 
> 
> Couple of extra things you may be interested to know:
> 
> - You can add additional URLs to the filter by defining them with a
> regex and then referencing that regex in the class-map DomainBlockList
> - If you wanted to bypass this filter for a particular user, you can
> add a deny statement for their IP addresses to the beginning of the
> inside_URL-block ACL. This obviously requires that they have a static
> IP address.
> 
> Regards
> 
> Steven
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Park
> Sent: 09 February 2012 16:29
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Filtering traffic to destinations based off of
> DNSaddresses on an ASA?
> 
> Hello all,
> Does anyone know of a good way to make a filter (access-list or
> whatever) on a Cisco ASA 5510 using a DNS address as the destination
> rather than a set of IP addresses?
> 
> For example, block any internal hosts from browsing to
> www.microsoft.com even though they have several webservers mapped to
> that DNS address, essentially "blacklisting" www.microsoft.com from the
> company.
> 
> I found Cisco's "Botnet Filter" that looks like it might work, but
> before I buy a license for it, I was curious as to anyone else's
> experiences with this filter or another method for accomplishing this?
> 
> Matthew Park
> Senior Systems Administrator
> Exelis Visual Information Solutions
> Matthew.Park at exelisvis.com
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> This email has been swept by Webroot for viruses. Any files transmitted
> with it are confidential and intended solely for the email recipient.
> If you are not the intended recipient please delete this email
> immediately.
> Be aware that any disclosure, copying, distribution or use of the
> contents of this information is prohibited. If you have received this
> email in error please notify the system administrator. Please note that
> any views or opinions presented in this email are solely those of the
> author and do not necessarily represent those of the company. Finally,
> the recipient should check this email and any attachments for the
> presence of viruses.
> 
> 
> GCI Com incorporates the following Group Companies:
> GCI Telecom Group Limited Reg. No. 5396496, Edge Telecommunications Ltd
> Reg. No. 5748740, Edge Telecom Ltd Reg. No. 3101247, IP Infrastructures
> Ltd Reg. No. 4657026, Invomo Ltd Reg. No. 6267056, NetServices UK Ltd
> Reg. No. 7118768, WAN Services Ltd Reg. No. 4082862. All Registered in
> England and Wales, Registered Office: Global House, 2 Crofton Close,
> Lincoln, LN3 4NT
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list