Solved

Adding Domain Name and Sub Domain to Rule Exceptions on Cisco ASA 5585

Posted on 2013-10-25
1
2,314 Views
Last Modified: 2013-12-09
Having the DNS enabled on the Cisco ASA 5585 Firewall and attempting to add entire domain to exclusions.  The provided exclusions for the domain comes back as *.domain.com.

Cisco is requiring a FQDN to be added.  The vendor is/will not provide the actual IP address ranges.

How can I put the domain plus subdomains into exclusions rules for the ASA?
0
Comment
Question by:PSERS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 7

Accepted Solution

by:
HalldorG earned 500 total points
ID: 39602510
You may use an alternative method specially if this is url filtering you want to solve.

Look at
https://supportforums.cisco.com/docs/DOC-1268

It is using regular expressions to match names in the http protocol.

Notice that names are not included in tcp header therfore you can not use wildcard in acl rules as there are countless possibilities of names that could be looked up. That might fit the ip address.  Also blocking based on dns names is not a good idea as the server may be serving other websites you want to access, which have the same ip address.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question