[c-nsp] FQDN ACL's on ASA

James jimbob.coffey at gmail.com
Thu Apr 4 09:41:41 EDT 2013

On Wednesday, April 3, 2013, Scott Voll wrote:

> I went down that road too.  the "policy-map type inspect http" does NOT
> have a permit or allow.  thus it won't work in this setup.
> other options?

It also won't address the https resources in office 365.  For that you
either use destination ip addresses as published by MS ( and cross your
fingers they don't change too rapidly or what is published is a complete
enumeration), a smarter firewall or a proxy.

An explicit proxy will give you the ability to filter on domain even for
https as the CONNECT method specifies the destination host.  A transparent
proxy/ngfw may be able to filter on distinguished name in the certificate
exchange for TLS handshake protocol but YMMV depending on vendor.

You could also use tls intercept on a product that supports it and then
http filter. Some other firewalls can create policy based on wildcard
domains by dynamically resolving PTR records on the fly but that requires
that PTR records are created in the first place and match the domain (not
always the case)

Or you could always open outbound 443 to any destination !!!! ( If you like
supplying easy to use C2 channels that is)


More information about the cisco-nsp mailing list