[c-nsp] Filtering traffic to destinations based off of DNSaddresses on an ASA?
Matthew Park
Matthew.Park at exelisvis.com
Thu Feb 9 13:57:11 EST 2012
I would use the caching resolver idea, but management also wants to have
the activity logged and have e-mail based alerting. I figured that I
could handle on the ASA through SNMP traps.
--Matthew Park
-----Original Message-----
From: Joseph Karpenko [mailto:karpenko at cisco.com]
Sent: Thursday, February 09, 2012 11:43 AM
To: Matthew Park
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Filtering traffic to destinations based off of
DNSaddresses on an ASA?
Quick and simple configuration using the DNS engine and MPF on the
firewall.
However, I also prefer and recommend Matthew Huff's suggestion about
configuring your recursive/caching resolver to be authoritative for
the domain-label you're looking to filter and setting the records to
127.0.0.1. ;-)
!
regex domain1 "[Yy][Aa][Hh][Oo][Oo]\.[Cc][Oo][Mm]"
regex domain2 "[Gg][Oo][Oo][Gg][Ll][Ee]\.[Cc][Oo][Mm]"
!
class-map type regex match-any dns_filter_class
match regex domain1
match regex domain2
!
class-map type inspect dns dns_inspect_class
match not header-flag QR
match question
match domain-name regex class dns_filter_class
!
policy-map type inspect dns dns_inspect_policy
class dns_inspect_class
drop log
!
class-map inspection_default
match default-inspection-traffic
!
policy-map egress_policy
class inspection_default
inspect dns dns_inspect_policy
!
service-policy egress_policy interface inside
!
regards,
--
/karpenko
on 2012.02.09-10:49:23 -0700, Matthew Park <Matthew.Park at exelisvis.com>
wrote:
> Date: Thu, 9 Feb 2012 10:49:23 -0700
> From: Matthew Park <Matthew.Park at exelisvis.com>
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Filtering traffic to destinations based off of
> DNSaddresses on an ASA?
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Errors-To: cisco-nsp-bounces at puck.nether.net
> Sender: cisco-nsp-bounces at puck.nether.net
> Return-Path: cisco-nsp-bounces at puck.nether.net
> Content-Length: 4736
>
> Steve,
>
> Will this just block URLs or can it block all traffic to a domain?
> The latter is what I'm looking for.
>
> Say block ALL traffic (make a domain "Dead to me") to google.com
> (no ping, nothing to mail.google.com, maps.google.com.. etc.)
>
> Thanks for the quick reply!
>
> --Matthew Park
>
>> -----Original Message-----
>> From: Steve McCrory [mailto:smccrory at gcicom.net]
>> Sent: Thursday, February 09, 2012 10:37 AM
>> To: Matthew Park; cisco-nsp at puck.nether.net
>> Subject: RE: [c-nsp] Filtering traffic to destinations based off of
>> DNSaddresses on an ASA?
>>
>> Matthew,
>>
>> There is a URL filtering feature on the ASA which should be
>> suffice for your requirements and does not require additional
>> licenses. It is, however, limited to 100 URLs max.
>>
>> A good guide can be found here:
>>
>> https://supportforums.cisco.com/docs/DOC-1268
>>
>> Below is a copy of the configuration we had to block access to
>> facebook and youtube. I've listed the commands backwards from
>> applying the service-policy to the interface. Hopefully you will
>> be able to follow it but feel free to ask any questions you may
>> have:
>>
>> service-policy inside-policy interface inside
>> !
>> policy-map inside-policy
>> class httptraffic
>> inspect http http_inspection_policy
>> !
>> class-map httptraffic
>> match access-list inside_URL-block
>> !
>> access-list inside_URL-block extended permit tcp any any eq www
>> access-list inside_URL-block extended permit tcp any any eq 8080
>> !
>> policy-map type inspect http http_inspection_policy
>> parameters
>> class BlockDomainsClass
>> reset log
>> match request method connect
>> drop-connection log
>> !
>> class-map type inspect http match-all BlockDomainsClass
>> match request header host regex class DomainBlockList
>> !
>> class-map type regex match-any DomainBlockList
>> match regex domainlist1
>> match regex domainlist2
>> !
>> regex domainlist1 "\.facebook\.com"
>> regex domainlist2 "\.youtube\.com"
>>
>>
>> Couple of extra things you may be interested to know:
>>
>> - You can add additional URLs to the filter by defining them with
>> a regex and then referencing that regex in the class-map
>> DomainBlockList
>> - If you wanted to bypass this filter for a particular user, you
>> can add a deny statement for their IP addresses to the
>> beginning of the inside_URL-block ACL. This obviously requires
>> that they have a static IP address.
>>
>> Regards
>>
>> Steven
>>
>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Park
>>> Sent: 09 February 2012 16:29
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Filtering traffic to destinations based off of
>>> DNSaddresses on an ASA?
>>>
>>> Hello all,
>>>
>>> Does anyone know of a good way to make a filter (access-list or
>>> whatever) on a Cisco ASA 5510 using a DNS address as the
>>> destination rather than a set of IP addresses?
>>>
>>> For example, block any internal hosts from browsing to
>>> www.microsoft.com even though they have several webservers
>>> mapped to that DNS address, essentially "blacklisting"
>>> www.microsoft.com from the company.
>>>
>>> I found Cisco's "Botnet Filter" that looks like it might work,
>>> but before I buy a license for it, I was curious as to anyone
>>> else's experiences with this filter or another method for
>>> accomplishing this?
>>>
>>> Matthew Park
>>> Senior Systems Administrator
>>> Exelis Visual Information Solutions
>>> Matthew.Park at exelisvis.com
>>>
> [ --------------- End of Included Message --------------- ]
More information about the cisco-nsp
mailing list