[c-nsp] Filtering traffic to destinations based off ofDNSaddresses on an ASA?

Steve McCrory smccrory at gcicom.net
Thu Feb 9 13:26:12 EST 2012


It depends on how you structure your regex but the format we used seemed
pretty effective at blocking all traffic destined for those domains

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Park
Sent: 09 February 2012 17:49
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Filtering traffic to destinations based off
ofDNSaddresses on an ASA?

Steve,
Will this just block URLs or can it block all traffic to a domain?  The
latter is what I'm looking for.
Say block ALL traffic (make a domain "Dead to me") to google.com (no
ping, nothing to mail.google.com, maps.google.com.. etc.)

Thanks for the quick reply!

--Matthew Park

-----Original Message-----
From: Steve McCrory [mailto:smccrory at gcicom.net] 
Sent: Thursday, February 09, 2012 10:37 AM
To: Matthew Park; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Filtering traffic to destinations based off of
DNSaddresses on an ASA?

Matthew,

There is a URL filtering feature on the ASA which should be suffice for
your requirements and does not require additional licenses. It is,
however, limited to 100 URLs max.

A good guide can be found here:

https://supportforums.cisco.com/docs/DOC-1268

Below is a copy of the configuration we had to block access to facebook
and youtube. I've listed the commands backwards from applying the
service-policy to the interface. Hopefully you will be able to follow it
but feel free to ask any questions you may have:

service-policy inside-policy interface inside
!
policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
!
class-map httptraffic
 match access-list inside_URL-block
!
access-list inside_URL-block extended permit tcp any any eq www 
access-list inside_URL-block extended permit tcp any any eq 8080 
!
policy-map type inspect http http_inspection_policy
 parameters
 class BlockDomainsClass
  reset log
 match request method connect
  drop-connection log
!
class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList
!
class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
!
regex domainlist1 "\.facebook\.com"
regex domainlist2 "\.youtube\.com"


Couple of extra things you may be interested to know:

- You can add additional URLs to the filter by defining them with a
regex and then referencing that regex in the class-map DomainBlockList
- If you wanted to bypass this filter for a particular user, you can add
a deny statement for their IP addresses to the beginning of the
inside_URL-block ACL. This obviously requires that they have a static IP
address.

Regards

Steven


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Park
Sent: 09 February 2012 16:29
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Filtering traffic to destinations based off of
DNSaddresses on an ASA?

Hello all,
Does anyone know of a good way to make a filter (access-list or
whatever) on a Cisco ASA 5510 using a DNS address as the destination
rather than a set of IP addresses?

For example, block any internal hosts from browsing to www.microsoft.com
even though they have several webservers mapped to that DNS address,
essentially "blacklisting" www.microsoft.com from the company.

I found Cisco's "Botnet Filter" that looks like it might work, but
before I buy a license for it, I was curious as to anyone else's
experiences with this filter or another method for accomplishing this?

Matthew Park
Senior Systems Administrator
Exelis Visual Information Solutions
Matthew.Park at exelisvis.com




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


This email has been swept by Webroot for viruses. Any files transmitted
with it are confidential and intended solely for the email recipient. If
you are not the intended recipient please delete this email immediately.
Be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited. If you have received this
email in error please notify the system administrator. Please note that
any views or opinions presented in this email are solely those of the
author and do not necessarily represent those of the company. Finally,
the recipient should check this email and any attachments for the
presence of viruses.


GCI Com incorporates the following Group Companies:
GCI Telecom Group Limited Reg. No. 5396496, Edge Telecommunications Ltd
Reg. No. 5748740, Edge Telecom Ltd Reg. No. 3101247, IP Infrastructures
Ltd Reg. No. 4657026, Invomo Ltd Reg. No. 6267056, NetServices UK Ltd
Reg. No. 7118768, WAN Services Ltd Reg. No. 4082862. All Registered in
England and Wales, Registered Office: Global House, 2 Crofton Close,
Lincoln, LN3 4NT

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list