One of our Ipoque DPI appliance suddenly failed but activated its fail-to-wire feature. I had to temporarily perform URL filtering on the ASA 5525-X by creating regular expression (regex) for the domains to be blocked and apply a DNS inspection policy to block DNS lookups. For this example, I want to block domains such as Youtube, Facebook and Piratebay.
regex Youtube "youtube\.com"
regex Facebook "facebook\.com"
regex Piratebay "piratebay\.org"
class-map type regex match-any DomainBlockList
match regex Youtube
match regex Facebook
match regex Piratebay
policy-map type inspect dns PM-DNS-inspect
match domain-name regex class DomainBlockList
drop-connection log // DROP SPECIFIED DOMAINS AND ALLOW EVERYTHING ELSE
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map // REMOVE DEFAULT DNS INSPECTION POLICY
inspect dns PM-DNS-inspect
I've also enabled syslog to verify if the regex and DNS filtering policy are working.
logging enable
logging buffered informational
logging timestamp
ciscoasa# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 1948 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
inside:192.168.1.10/53050 (172.27.25.254/14713)
May 23 2016 17:09:30: %ASA-4-410003: DNS Classification: Dropped DNS request (id 7944) from inside:192.168.1.10/53050 to outside:8.8.8.8/53; matched Class 22: match domain-name regex class DomainBlockList
May 23 2016 17:09:30: %ASA-4-507003: udp flow from inside:192.168.1.10/53050 to outside:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
May 23 2016 17:09:30: %ASA-6-302016: Teardown UDP connection 511 for outside:8.8.8.8/53 to inside:192.168.1.10/53050 duration 0:00:00 bytes 0
May 23 2016 17:09:33: %ASA-6-302014: Teardown TCP connection 495 for outside:172.20.80.21/9100 to inside:192.168.1.10/50128 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:34: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.10/50132 to outside:172.27.25.254/13351
May 23 2016 17:09:34: %ASA-6-302013: Built outbound TCP connection 512 for outside:172.20.80.21/9100 (172.20.80.21/9100) to inside:192.168.1.10/50132 (172.27.25.254/13351)
May 23 2016 17:09:34: %ASA-6-302015: Built outbound UDP connection 513 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53050 (172.27.25.254/14713)
May 23 2016 17:09:34: %ASA-4-410003: DNS Classification: Dropped DNS request (id 7944) from inside:192.168.1.10/53050 to outside:8.8.8.8/53; matched Class 22: match domain-name regex class DomainBlockList
May 23 2016 17:09:34: %ASA-4-507003: udp flow from inside:192.168.1.10/53050 to outside:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
May 23 2016 17:09:34: %ASA-6-302016: Teardown UDP connection 513 for outside:8.8.8.8/53 to inside:192.168.1.10/53050 duration 0:00:00 bytes 0
May 23 2016 17:09:35: %ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.10/53051 to outside:172.27.25.254/9577
May 23 2016 17:09:35: %ASA-6-302015: Built outbound UDP connection 514 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53051 (172.27.25.254/9577)
May 23 2016 17:09:35: %ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.10/53052 to outside:172.27.25.254/38752
May 23 2016 17:09:35: %ASA-6-302015: Built outbound UDP connection 515 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53052 (172.27.25.254/38752)
May 23 2016 17:09:35: %ASA-6-302016: Teardown UDP connection 515 for outside:8.8.8.8/53 to inside:192.168.1.10/53052 duration 0:00:00 bytes 72
May 23 2016 17:09:35: %ASA-6-302016: Teardown UDP connection 514 for outside:8.8.8.8/53 to inside:192.168.1.10/53051 duration 0:00:00 bytes 72
May 23 2016 17:09:37: %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.10/50127 to outside:172.27.25.254/39345 duration 0:01:00
May 23 2016 17:09:40: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/52130 to outside:172.27.25.254/50331 duration 0:00:30
May 23 2016 17:09:40: %ASA-6-302014: Teardown TCP connection 497 for outside:216.146.46.10/445 to inside:192.168.1.10/50129 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:41: %ASA-6-302014: Teardown TCP connection 498 for outside:216.146.46.11/445 to inside:192.168.1.10/50130 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:43: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/60600 to outside:172.27.25.254/9592 duration 0:00:30
May 23 2016 17:09:43: %ASA-6-305012: Teardown dynamic ICMP translation from inside:192.168.1.10/1 to outside:172.27.25.254/44940 duration 0:00:30
May 23 2016 17:09:50: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/52188 to outside:172.27.25.254/40294 duration 0:00:30
May 23 2016 17:09:56: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/53050 to outside:172.27.25.254/14713 duration 0:00:30
May 23 2016 17:10:00: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.10/50133 to outside:172.27.25.254/40275
May 23 2016 17:10:00: %ASA-6-302013: Built outbound TCP connection 516 for outside:172.20.80.21/9100 (172.20.80.21/9100) to inside:192.168.1.10/50133 (172.27.25.254/40275)
Below is the full config that was applied on my lab ASA 5505 running version 8.3.
ciscoasa# show run
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.27.25.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
regex Piratebay "piratebay\.org"
regex Youtube "youtube\.com"
regex Facebook "facebook\.com"
boot system disk0:/asa832-k8.bin
ftp mode passive
object network INSIDE-PAT
subnet 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE-PAT
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 172.27.25.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map type regex match-any DomainBlockList
match regex Youtube
match regex Facebook
match regex Piratebay
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns PM-DNS-inspect
parameters
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns PM-DNS-inspect
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:84d1dbdacf047ec442ba73e29b20eecd
: end
regex Youtube "youtube\.com"
regex Facebook "facebook\.com"
regex Piratebay "piratebay\.org"
class-map type regex match-any DomainBlockList
match regex Youtube
match regex Facebook
match regex Piratebay
policy-map type inspect dns PM-DNS-inspect
match domain-name regex class DomainBlockList
drop-connection log // DROP SPECIFIED DOMAINS AND ALLOW EVERYTHING ELSE
policy-map global_policy
class inspection_default
no inspect dns preset_dns_map // REMOVE DEFAULT DNS INSPECTION POLICY
inspect dns PM-DNS-inspect
I've also enabled syslog to verify if the regex and DNS filtering policy are working.
logging enable
logging buffered informational
logging timestamp
ciscoasa# show log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level informational, 1948 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
inside:192.168.1.10/53050 (172.27.25.254/14713)
May 23 2016 17:09:30: %ASA-4-410003: DNS Classification: Dropped DNS request (id 7944) from inside:192.168.1.10/53050 to outside:8.8.8.8/53; matched Class 22: match domain-name regex class DomainBlockList
May 23 2016 17:09:30: %ASA-4-507003: udp flow from inside:192.168.1.10/53050 to outside:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
May 23 2016 17:09:30: %ASA-6-302016: Teardown UDP connection 511 for outside:8.8.8.8/53 to inside:192.168.1.10/53050 duration 0:00:00 bytes 0
May 23 2016 17:09:33: %ASA-6-302014: Teardown TCP connection 495 for outside:172.20.80.21/9100 to inside:192.168.1.10/50128 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:34: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.10/50132 to outside:172.27.25.254/13351
May 23 2016 17:09:34: %ASA-6-302013: Built outbound TCP connection 512 for outside:172.20.80.21/9100 (172.20.80.21/9100) to inside:192.168.1.10/50132 (172.27.25.254/13351)
May 23 2016 17:09:34: %ASA-6-302015: Built outbound UDP connection 513 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53050 (172.27.25.254/14713)
May 23 2016 17:09:34: %ASA-4-410003: DNS Classification: Dropped DNS request (id 7944) from inside:192.168.1.10/53050 to outside:8.8.8.8/53; matched Class 22: match domain-name regex class DomainBlockList
May 23 2016 17:09:34: %ASA-4-507003: udp flow from inside:192.168.1.10/53050 to outside:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
May 23 2016 17:09:34: %ASA-6-302016: Teardown UDP connection 513 for outside:8.8.8.8/53 to inside:192.168.1.10/53050 duration 0:00:00 bytes 0
May 23 2016 17:09:35: %ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.10/53051 to outside:172.27.25.254/9577
May 23 2016 17:09:35: %ASA-6-302015: Built outbound UDP connection 514 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53051 (172.27.25.254/9577)
May 23 2016 17:09:35: %ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.10/53052 to outside:172.27.25.254/38752
May 23 2016 17:09:35: %ASA-6-302015: Built outbound UDP connection 515 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.1.10/53052 (172.27.25.254/38752)
May 23 2016 17:09:35: %ASA-6-302016: Teardown UDP connection 515 for outside:8.8.8.8/53 to inside:192.168.1.10/53052 duration 0:00:00 bytes 72
May 23 2016 17:09:35: %ASA-6-302016: Teardown UDP connection 514 for outside:8.8.8.8/53 to inside:192.168.1.10/53051 duration 0:00:00 bytes 72
May 23 2016 17:09:37: %ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.10/50127 to outside:172.27.25.254/39345 duration 0:01:00
May 23 2016 17:09:40: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/52130 to outside:172.27.25.254/50331 duration 0:00:30
May 23 2016 17:09:40: %ASA-6-302014: Teardown TCP connection 497 for outside:216.146.46.10/445 to inside:192.168.1.10/50129 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:41: %ASA-6-302014: Teardown TCP connection 498 for outside:216.146.46.11/445 to inside:192.168.1.10/50130 duration 0:00:30 bytes 0 SYN Timeout
May 23 2016 17:09:43: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/60600 to outside:172.27.25.254/9592 duration 0:00:30
May 23 2016 17:09:43: %ASA-6-305012: Teardown dynamic ICMP translation from inside:192.168.1.10/1 to outside:172.27.25.254/44940 duration 0:00:30
May 23 2016 17:09:50: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/52188 to outside:172.27.25.254/40294 duration 0:00:30
May 23 2016 17:09:56: %ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.10/53050 to outside:172.27.25.254/14713 duration 0:00:30
May 23 2016 17:10:00: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.10/50133 to outside:172.27.25.254/40275
May 23 2016 17:10:00: %ASA-6-302013: Built outbound TCP connection 516 for outside:172.20.80.21/9100 (172.20.80.21/9100) to inside:192.168.1.10/50133 (172.27.25.254/40275)
Below is the full config that was applied on my lab ASA 5505 running version 8.3.
ciscoasa# show run
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.27.25.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
regex Piratebay "piratebay\.org"
regex Youtube "youtube\.com"
regex Facebook "facebook\.com"
boot system disk0:/asa832-k8.bin
ftp mode passive
object network INSIDE-PAT
subnet 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network INSIDE-PAT
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 172.27.25.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map type regex match-any DomainBlockList
match regex Youtube
match regex Facebook
match regex Piratebay
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns PM-DNS-inspect
parameters
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns PM-DNS-inspect
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:84d1dbdacf047ec442ba73e29b20eecd
: end
No comments:
Post a Comment