Cisco ASA URL Filtering via DNS Inspection Policy Map

One of our Ipoque DPI appliance suddenly failed but activated its fail-to-wire feature. I had to temporarily perform URL filtering on the ASA 5525-X by creating regular expression (regex) for the domains to be blocked and apply a DNS inspection policy to block DNS lookups. For this example, I want to block domains such as Youtube, Facebook and Piratebay.

regex Youtube "youtube\.com"
regex Facebook "facebook\.com"
regex Piratebay "piratebay\.org"

class-map type regex match-any DomainBlockList
 match regex Youtube
 match regex Facebook
 match regex Piratebay

policy-map type inspect dns PM-DNS-inspect
  match domain-name regex class DomainBlockList
  drop-connection log   // DROP SPECIFIED DOMAINS AND ALLOW EVERYTHING ELSE

policy-map global_policy
 class inspection_default
  no inspect dns preset_dns_map   // REMOVE DEFAULT DNS INSPECTION POLICY
  inspect dns PM-DNS-inspect


I've also enabled syslog to verify if the regex and DNS filtering policy are working.

logging enable 
logging buffered informational
logging timestamp

ciscoasa# show log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level informational, 1948 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled
 inside:192.168.1.10/53050 (172.27.25.254/14713)
May 23 2016 17:09:30: %ASA-4-410003: DNS Classification: Dropped DNS request (id 7944) from inside:192.168.1.10/53050 to outside:8.8.8.8/53; matched Class 22: match domain-name regex class DomainBlockList
May 23 2016 17:09:30: %ASA-4-507003: udp flow from inside:192.168.1.10/53050 to outside:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
May 23 2016 17:09:30: %ASA-6-302016: Teardown UDP connection 511 for outside:8.8.8.8/53 to inside:192.168.1.10/53050 duration 0:00:00 bytes 0
May 23 2016 17:09:33: %ASA-6-302014: Teardown TCP connection 495 for outside:172.20.80.21/9100 to inside:192.168.1.10/50128 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:34: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.10/50132 to outside:172.27.25.254/13351
May 23 2016 17:09:34: %ASA-6-302013: Built outbound TCP connection 512 for outside:172.20.80.21/9100 (172.20.80.21/9100) to inside:192.168.1.10/50132 (172.27.25.254/13351)
May 23 2016 17:09:34: %ASA-6-302015: Built outbound UDP connection 513 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53050 (172.27.25.254/14713)
May 23 2016 17:09:34: %ASA-4-410003: DNS Classification: Dropped DNS request (id 7944) from inside:192.168.1.10/53050 to outside:8.8.8.8/53; matched Class 22: match domain-name regex class DomainBlockList
May 23 2016 17:09:34: %ASA-4-507003: udp flow from inside:192.168.1.10/53050 to outside:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
May 23 2016 17:09:34: %ASA-6-302016: Teardown UDP connection 513 for outside:8.8.8.8/53 to inside:192.168.1.10/53050 duration 0:00:00 bytes 0
May 23 2016 17:09:35: %ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.10/53051 to outside:172.27.25.254/9577
May 23 2016 17:09:35: %ASA-6-302015: Built outbound UDP connection 514 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53051 (172.27.25.254/9577)
May 23 2016 17:09:35: %ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.10/53052 to outside:172.27.25.254/38752
May 23 2016 17:09:35: %ASA-6-302015: Built outbound UDP connection 515 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53052 (172.27.25.254/38752)
May 23 2016 17:09:35: %ASA-6-302016: Teardown UDP connection 515 for outside:8.8.8.8/53 to inside:192.168.1.10/53052 duration 0:00:00 bytes 72
May 23 2016 17:09:35: %ASA-6-302016: Teardown UDP connection 514 for outside:8.8.8.8/53 to inside:192.168.1.10/53051 duration 0:00:00 bytes 72
May 23 2016 17:09:37: %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.10/50127 to outside:172.27.25.254/39345 duration 0:01:00
May 23 2016 17:09:40: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/52130 to outside:172.27.25.254/50331 duration 0:00:30
May 23 2016 17:09:40: %ASA-6-302014: Teardown TCP connection 497 for outside:216.146.46.10/445 to inside:192.168.1.10/50129 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:41: %ASA-6-302014: Teardown TCP connection 498 for outside:216.146.46.11/445 to inside:192.168.1.10/50130 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:43: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/60600 to outside:172.27.25.254/9592 duration 0:00:30
May 23 2016 17:09:43: %ASA-6-305012: Teardown dynamic ICMP translation from inside:192.168.1.10/1 to outside:172.27.25.254/44940 duration 0:00:30
May 23 2016 17:09:50: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/52188 to outside:172.27.25.254/40294 duration 0:00:30
May 23 2016 17:09:56: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/53050 to outside:172.27.25.254/14713 duration 0:00:30
May 23 2016 17:10:00: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.10/50133 to outside:172.27.25.254/40275
May 23 2016 17:10:00: %ASA-6-302013: Built outbound TCP connection 516 for outside:172.20.80.21/9100 (172.20.80.21/9100) to inside:192.168.1.10/50133 (172.27.25.254/40275)


Below is the full config that was applied on my lab ASA 5505 running version 8.3.

ciscoasa# show run
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.27.25.254 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
regex Piratebay "piratebay\.org"
regex Youtube "youtube\.com"
regex Facebook "facebook\.com"
boot system disk0:/asa832-k8.bin
ftp mode passive
object network INSIDE-PAT
 subnet 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE-PAT
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 172.27.25.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map type regex match-any DomainBlockList
 match regex Youtube
 match regex Facebook
 match regex Piratebay
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect dns PM-DNS-inspect
 parameters
 match domain-name regex class DomainBlockList
  drop-connection log
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns PM-DNS-inspect
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:84d1dbdacf047ec442ba73e29b20eecd
: end

FireSight GUI Menu Navigation

Just some additional post setup features or settings that you might want to note in FireSight.

NAT and VPN options under Devices tab are applicable to the dedicated FirePower appliance only. You can't run these features with the ASA FirePower module.

 Objects are similar to ASA object or alias which are used to simply policy creation.

AMP is for managing malware protection for FireAMP endpoints. This is where you download the latest update from FireSight cloud database.

You can create local admin accounts under Local > User Management > Create Users. By default, there's an admin account (default password is Sourcefire). You can also integrate user accounts to external database such as LDAP and RADIUS and specify different privilege levels.

FireSight also has a syslog function under System > Monitoring > Syslog, which can be used for troubleshooting.

The device's health statistics such as uptime, memory and disk usage, etc. can be found under Monitoring > Statistics and click the device under Select Device(s). You can check the health stats on both the ASA with FirePower module and the FireSight Defense Center (DC).

You can perform backup and restore under Tools. You can also schedule system backup and its frequency.

Click on Help > About to check the FireSight DC serial number and current OS version and Help > Support site to redirect you to the TAC support website.

You can change the current user's password under admin > User Preference and also change the dashboard page settings such as home page and time zone preference.