Scott,

There isn't an explicit permit but there is an explicit drop or deny. What
the examples provide are "match not" expressions which are used as explicit
"permit".

I don't know how complicated your setup needs to be or how many domains or
hosts you need to match but "match not" for those with a "drop" or "deny"
action would probably give you the expected result.



I used this same setup to explicitly permit ftp for Symantec AV file updates
below while denying all other FTP. A similar approach would be applicable
for http traffic also.



regex SymPtrn1 ".*liveupdate.+livetri\.zip"

regex SymPtrn2 "minitri\.flg"

regex SymPtrn3 ".*corporate.+livetri\.zip"



class-map type regex match-any cls-symantec-files

match regex SymPtrn1

match regex SymPtrn2

match regex SymPtrn3



class-map type inspect ftp match-any cls-deny-ftp

match not filename regex class cls-symantec-files



class-map ftp-traffic

match port tcp eq ftp



policy-map type inspect ftp checkftp

parameters

class cls-deny-ftp

reset log



policy-map global_policy

class ftp-traffic

inspect ftp strict checkftp



From: Scott Voll [mailto:***@gmail.com]
Sent: Tuesday, April 2, 2013 11:58 AM
To: ***@gmail.com
Cc: cisco-***@puck.nether.net
Subject: Re: [c-nsp] FQDN ACL's on ASA



I went down that road too. the "policy-map type inspect http" does NOT have
a permit or allow. thus it won't work in this setup.



other options?



Scott



On Tue, Apr 2, 2013 at 8:47 AM, Vijay Ramcharan <***@gmail.com
<mailto:***@gmail.com> > wrote:

You can try with regex and MPF.
See https://supportforums.cisco.com/docs/DOC-1268
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
<http://www.cisco.com/en/US/products/ps6120/products_configuration_example09
186a0080940e04.shtml>
86a0080940e04.shtml


-----Original Message-----
From: cisco-nsp-***@puck.nether.net
<mailto:cisco-nsp-***@puck.nether.net>
[mailto:cisco-nsp-***@puck.nether.net
<mailto:cisco-nsp-***@puck.nether.net> ] On Behalf Of Scott Voll
Sent: Thursday, March 28, 2013 6:10 PM
To: cisco-***@puck.nether.net <mailto:cisco-***@puck.nether.net>
Subject: [c-nsp] FQDN ACL's on ASA

I know I can setup FQDN acls on my ASA, but is there a way to do wildcard
Domain names?

Example being *.microsoftonline.com <http://microsoftonline.com>

We are looking to use office 365 and microsoft lists some FQDN and then they
add a bunch of wildcard ones like above.

If you can give me a link or example that would be great!

TIA

Scott

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
<mailto:cisco-***@puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

It also won't address the https resources in office 365. For that you
either use destination ip addresses as published by MS ( and cross your
fingers they don't change too rapidly or what is published is a complete
enumeration), a smarter firewall or a proxy.

An explicit proxy will give you the ability to filter on domain even for
https as the CONNECT method specifies the destination host. A transparent
proxy/ngfw may be able to filter on distinguished name in the certificate
exchange for TLS handshake protocol but YMMV depending on vendor.

You could also use tls intercept on a product that supports it and then
http filter. Some other firewalls can create policy based on wildcard
domains by dynamically resolving PTR records on the fly but that requires
that PTR records are created in the first place and match the domain (not
always the case)

Or you could always open outbound 443 to any destination !!!! ( If you like
supplying easy to use C2 channels that is)