Packetslave Industries » ASA

ASA URL filtering with MPF

blanders — Wed, 21 Oct 2009 17:36:03 +0000

Problem: “I want to block facebook.com and myspace.com but I don’t have a Websense server.”

regex domlist1 "facebook.com"
regex domlist2 "myspace.com"
!
class-map type regex match-any DomainBlockList
  match regex domlist1
  match regex domlist2
!
class-map type inspect http match-all BlockDomainsClass
  match request header host regex class DomainBlockList
!
policy-map type inspect http http_inspection_policy
  class BlockDomainsClass
  reset log
!
policy-map global_policy
  class inspection_default
  inspect http http_inspection_policy
!
service-policy global_policy global
wr mem

BGP Through an ASA with Authentication

blanders — Sun, 12 Jul 2009 19:34:04 +0000

By default, the ASA will strip TCP option 19 causing MD5 authentication for BGP to fail. In addition, the ASA randomizes the TCP sequence numbers, which also breaks things. To fix this:

tcp-map BGP_FIX
  tcp-options range 19 19 allow
!
access-list BGP permit tcp any any eq 179
!
class BGP
  match access-list BGP
  !! could also use match protocol tcp eq bgp
!
policy-map global_policy
  class BGP
    set connection advanced-options BGP_FIX
    set connection random-sequence-number disable
!

ASA Authentication Proxy with ACS

blanders — Sun, 12 Jul 2009 16:45:45 +0000

Goal: all outbound telnet and HTTP connections passing through the ASA must first be authenticated against an ACS server using the TACACS+ protocol.

aaa-server ACS_SERVER protocol tacacs+
aaa-server ACS_SERVER (inside) host 1.2.3.4
    key myACSkey
!
access-list outbound_auth permit tcp any any eq 23
access-list outbound_auth permit tcp any any eq 80
!
aaa authentication match outbound_auth inside ACS_SERVER

There are additional options to configure HTTP vs. HTTPS and redirection vs. basic HTTP authentication. The documentation is a bit confusing, so I will be labbing this up shortly.

ASA Enhanced Service Object Groups

blanders — Sat, 11 Jul 2009 22:02:07 +0000

The ASA introduced the concept of object groups in version 7.0. You could group a list of IP addresses, protocols, services, or ICMP types into one logical entity and refer to it by name in your access lists. In the 7.x releases, however, a service object group could only contain entries for a single protocol (TCP, UDP, or both TCP/UDP). This forced admins to either use a separate object group for TCP and UDP ports (requiring two ACE entries), or to match more ports than necessary (by using the tcp-udp type).

The 8.0 release of the ASA software solves this problem by introducing an enhanced Service object group that allows a mix of multiple protocols within the same group. Unfortunately, the 8.0 and 8.2 ASA configuration guides don’t appear to cover this new type of service group or show an example.

object-group network DMZ_NET
  network-object 1.2.3.0 255.255.255.0
!
object-group service DMZ_SERVICES
  service-object tcp eq 80
  service-object udp eq 53
  service-object tcp eq 53
  service-object icmp
!
access-list DMZ extended permit object-group DMZ_SERVICES any object-group DMZ_NET