• Home
  • Cisco
  • Exchange
  • Linux
  • Navision
  • Network
  • Virtualization
  • Windows
  • About
    •  

    Block domains on a Cisco ASA

    December 30th, 2008

    By default you can block domains with a Cisco ASA.
    It simply blocks the typed DNS domain names.
    Be aware that the IP (ex: http://80.80.80.80) can be accessed until you deny this in an access-list.

    regex domainlist1 “\.dating\.dk”
    regex domainlist2 “\.facebook\.dk”
    regex domainlist3 “\.facebook\.com”
    !
    access-list inside_mpc extended permit tcp any any eq www
    access-list inside_mpc extended permit tcp any any eq 8080
    !
    class-map type regex match-any DomainBlockList
    match regex domainlist1
    match regex domainlist2
    match regex domainlist3
    !
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map inspection_default
    match default-inspection-traffic
    class-map httptraffic
    match access-list inside_mpc
    !
    policy-map type inspect http http_inspection_policy
    parameters
    protocol-violation action drop-connection <— XX
    match request method connect
    drop-connection log
    class BlockDomainsClass
    reset log
    !
    policy-map inside-policy
    class httptraffic
    inspect http http_inspection_policy
    !
    service-policy inside-policy interface inside

    Block all domains containing the word “facebook” ex: myfacebook.com

    regex domainlist1 “.*facebook.*”

    Allow PPTP through Cisco ASA

    December 29th, 2008

    By default clients inside a network protected by a Cisco ASA cannot dial up with an PPTP connection.
    But if you add this to the configuation it can.
     

    class-map inspection_default
    match default-inspection-traffic
    !
    policy-map global_policy
    class inspection_default
    inspect pptp
    !
    service-policy global_policy global

    ———-
    PPTP uses IP protocol 47 (General Routing Encapsulation / GRE) for data.
    Allowing connections to be established – port 1723

    Block outgoing emails except from the mail server

    December 8th, 2008

    By default all clients on the LAN can act as a mail server. Maybe you have a “real” mail server. Now a hacker steals one of your client pc’s and uses it to send out SPAM.

    How do you configure the firewall so only the “real” mail server can send out emails?

    You do it with an access-list on the inside interface. This way you can control the outgoing smtp traffic and only allow one LAN IP to send out emails.

    access-list acl_out permit tcp host 10.0.0.2 any eq 25
    access-list acl_out deny tcp any any eq 25
    access-list acl_out permit ip any any
    access-list acl_out permit icmp any any
    access-group acl_out in interface inside