[c-nsp] FQDN ACL's on ASA

Vijay Ramcharan vrlists at gmail.com
Wed Apr 3 09:45:28 EDT 2013 

Scott, 

There isn't an explicit permit but there is an explicit drop or deny. What
the examples provide are "match not" expressions which are used as explicit
"permit". 

I don't know how complicated your setup needs to be or how many domains or
hosts you need to match but "match not" for those with a "drop" or "deny"
action would probably give you the expected result. 

 

I used this same setup to explicitly permit ftp for Symantec AV file updates
below while denying all other FTP. A similar approach would be applicable
for http traffic also. 

 

regex SymPtrn1 ".*liveupdate.+livetri\.zip"

regex SymPtrn2 "minitri\.flg"

regex SymPtrn3 ".*corporate.+livetri\.zip"

 

class-map type regex match-any cls-symantec-files

match regex SymPtrn1

match regex SymPtrn2

match regex SymPtrn3

 

class-map type inspect ftp match-any cls-deny-ftp

match not filename regex class cls-symantec-files

 

class-map ftp-traffic

match port tcp eq ftp

 

policy-map type inspect ftp checkftp

parameters

class cls-deny-ftp

  reset log

 

policy-map global_policy

class ftp-traffic

  inspect ftp strict checkftp

 

From: Scott Voll [mailto:svoll.voip at gmail.com] 
Sent: Tuesday, April 2, 2013 11:58 AM
To: vrlists at gmail.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FQDN ACL's on ASA

 

I went down that road too.  the "policy-map type inspect http" does NOT have
a permit or allow.  thus it won't work in this setup.

 

other options?

 

Scott

 

On Tue, Apr 2, 2013 at 8:47 AM, Vijay Ramcharan <vrlists at gmail.com
<mailto:vrlists at gmail.com> > wrote:

You can try with regex and MPF.
See https://supportforums.cisco.com/docs/DOC-1268
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
<http://www.cisco.com/en/US/products/ps6120/products_configuration_example09
186a0080940e04.shtml> 
86a0080940e04.shtml


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
<mailto:cisco-nsp-bounces at puck.nether.net> 
[mailto:cisco-nsp-bounces at puck.nether.net
<mailto:cisco-nsp-bounces at puck.nether.net> ] On Behalf Of Scott Voll
Sent: Thursday, March 28, 2013 6:10 PM
To: cisco-nsp at puck.nether.net <mailto:cisco-nsp at puck.nether.net> 
Subject: [c-nsp] FQDN ACL's on ASA

I know I can setup FQDN acls on my ASA, but is there a way to do wildcard
Domain names?

Example being *.microsoftonline.com <http://microsoftonline.com> 

We are looking to use office 365 and microsoft lists some FQDN and then they
add a bunch of wildcard ones like above.

If you can give me a link or example that would be great!

TIA

Scott

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
<mailto:cisco-nsp at puck.nether.net> 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list