[c-nsp] FQDN ACL's on ASA

Vijay Ramcharan vrlists at gmail.com
Wed Apr 3 09:45:28 EDT 2013


There isn't an explicit permit but there is an explicit drop or deny. What
the examples provide are "match not" expressions which are used as explicit

I don't know how complicated your setup needs to be or how many domains or
hosts you need to match but "match not" for those with a "drop" or "deny"
action would probably give you the expected result. 


I used this same setup to explicitly permit ftp for Symantec AV file updates
below while denying all other FTP. A similar approach would be applicable
for http traffic also. 


regex SymPtrn1 ".*liveupdate.+livetri\.zip"

regex SymPtrn2 "minitri\.flg"

regex SymPtrn3 ".*corporate.+livetri\.zip"


class-map type regex match-any cls-symantec-files

match regex SymPtrn1

match regex SymPtrn2

match regex SymPtrn3


class-map type inspect ftp match-any cls-deny-ftp

match not filename regex class cls-symantec-files


class-map ftp-traffic

match port tcp eq ftp


policy-map type inspect ftp checkftp


class cls-deny-ftp

  reset log


policy-map global_policy

class ftp-traffic

  inspect ftp strict checkftp


From: Scott Voll [mailto:svoll.voip at gmail.com] 
Sent: Tuesday, April 2, 2013 11:58 AM
To: vrlists at gmail.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FQDN ACL's on ASA


I went down that road too.  the "policy-map type inspect http" does NOT have
a permit or allow.  thus it won't work in this setup.


other options?




On Tue, Apr 2, 2013 at 8:47 AM, Vijay Ramcharan <vrlists at gmail.com
<mailto:vrlists at gmail.com> > wrote:

You can try with regex and MPF.
See https://supportforums.cisco.com/docs/DOC-1268

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
<mailto:cisco-nsp-bounces at puck.nether.net> 
[mailto:cisco-nsp-bounces at puck.nether.net
<mailto:cisco-nsp-bounces at puck.nether.net> ] On Behalf Of Scott Voll
Sent: Thursday, March 28, 2013 6:10 PM
To: cisco-nsp at puck.nether.net <mailto:cisco-nsp at puck.nether.net> 
Subject: [c-nsp] FQDN ACL's on ASA

I know I can setup FQDN acls on my ASA, but is there a way to do wildcard
Domain names?

Example being *.microsoftonline.com <http://microsoftonline.com> 

We are looking to use office 365 and microsoft lists some FQDN and then they
add a bunch of wildcard ones like above.

If you can give me a link or example that would be great!



cisco-nsp mailing list  cisco-nsp at puck.nether.net
<mailto:cisco-nsp at puck.nether.net> 
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list