Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites. So, what is the difference?
Solved
Cisco ASA 5200 ACL question
Posted on 2006-12-01
Folks,
We have an ASA 5200 which we may be using to provide firewall services for more than one client. With that in mind I went to great lengths and some pain to configure it using the minimum number of interfaces necessary for the existing client using subinterfaces of a single interface.
Behind the subinterfaces for this client we plan to have exchange, web, citrix and sundry other applications which will need access to the internet. I've fiddled with the static (int, int) command and have it functioning for the sub interfaces.
I then began to fiddle with configuring the ACL. Ideally I'd like to permit pretty much everything in through the outside interface then allow or block traffic at the subinterface level. I created two separate ACL's, one called Global_ACL the other called AWF_ACL. The Global_ACL had a permit ip any any statement in it and the AWF_ACL had the more granular permit statements.
I then applied the Global_ACL to the outside interface and the AWF_ACL to the subinterface which I needed traffic to pass on. I tested my connection using RDP remapped to a different port and was able to connect to the server behind the ASA.
I looked at the access-lists and saw hits on the Global_ACL but none on the AWF_ACL. Curious to see if the AWF_ACL was being parsed I then removed it from the subinterface and found that I could still connect via RDP.
My question is this: how can I configure the ASA so that I am allowing everything into the outside interface but only what port traffic I want into each sub interface?
I can post the relevant portion of the config if needed.
Thanks
We have an ASA 5200 which we may be using to provide firewall services for more than one client. With that in mind I went to great lengths and some pain to configure it using the minimum number of interfaces necessary for the existing client using subinterfaces of a single interface.
Behind the subinterfaces for this client we plan to have exchange, web, citrix and sundry other applications which will need access to the internet. I've fiddled with the static (int, int) command and have it functioning for the sub interfaces.
I then began to fiddle with configuring the ACL. Ideally I'd like to permit pretty much everything in through the outside interface then allow or block traffic at the subinterface level. I created two separate ACL's, one called Global_ACL the other called AWF_ACL. The Global_ACL had a permit ip any any statement in it and the AWF_ACL had the more granular permit statements.
I then applied the Global_ACL to the outside interface and the AWF_ACL to the subinterface which I needed traffic to pass on. I tested my connection using RDP remapped to a different port and was able to connect to the server behind the ASA.
I looked at the access-lists and saw hits on the Global_ACL but none on the AWF_ACL. Curious to see if the AWF_ACL was being parsed I then removed it from the subinterface and found that I could still connect via RDP.
My question is this: how can I configure the ASA so that I am allowing everything into the outside interface but only what port traffic I want into each sub interface?
I can post the relevant portion of the config if needed.
Thanks
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
6
5
12 Comments
i do not think that you can do that being the security device's primary role is to block everything incoming, unless requested from the inside.
the only thing i can thik of is to add an access list that opens everything up and bind it to the outside interface, then add your neccessary access-lists to block what you want on the sub interfaces
access-list inbound permit ip any any
access-group inbound in interface outside
this will open up the device with basically no security. then add you acl's for the subs
the only thing i can thik of is to add an access list that opens everything up and bind it to the outside interface, then add your neccessary access-lists to block what you want on the sub interfaces
access-list inbound permit ip any any
access-group inbound in interface outside
this will open up the device with basically no security. then add you acl's for the subs
Active 3 days ago
Thanks for the reply.
This is essentially what I have done: The Global_ACL has a permit ip any any statement and the AWF_ACL has more granular statements.
The ACL on the subinterface seems to have no effect. It's as though the ASA assumes the traffic is alright for any interface once it's matched the ACL on the outside interface.
I do appreciate the thoughts though!
This is essentially what I have done: The Global_ACL has a permit ip any any statement and the AWF_ACL has more granular statements.
The ACL on the subinterface seems to have no effect. It's as though the ASA assumes the traffic is alright for any interface once it's matched the ACL on the outside interface.
I do appreciate the thoughts though!
You can now apply acls "out" on each interface.
Allow all/most "in" on the outside interface.
Restrict "out" on the vlan interfaces
Example:
access-list inbound permit ip any any
access-group inbound in interface outside
access-list to_vlan1 permit tcp any eq www any
access-list to_vlan1 permit udp any eq domain any
access-list to_vlan1 permit tcp any any eq https any
access-group to_vlan1 out interface vlan1
access-list to_vlan2 permit tcp any host a.b.c.d eq www
access-list to_vlan2 permit tcp any host a.b.c.d eq https
access-list to_vlan2 permit tcp any host alb.c.e eq smtp
access-group to_vlan2 out interface vlan2
Allow all/most "in" on the outside interface.
Restrict "out" on the vlan interfaces
Example:
access-list inbound permit ip any any
access-group inbound in interface outside
access-list to_vlan1 permit tcp any eq www any
access-list to_vlan1 permit udp any eq domain any
access-list to_vlan1 permit tcp any any eq https any
access-group to_vlan1 out interface vlan1
access-list to_vlan2 permit tcp any host a.b.c.d eq www
access-list to_vlan2 permit tcp any host a.b.c.d eq https
access-list to_vlan2 permit tcp any host alb.c.e eq smtp
access-group to_vlan2 out interface vlan2
Active 3 days ago
I'll test this but looking at it wouldn't this restrict traffic outbound from inside the interface?
I'm trying to wrap my brain around how this would work...
I'm trying to wrap my brain around how this would work...
Active 3 days ago
oh... wait... I think I see what you're saying.
So, If I have the following interfaces:
gig0/1
gig0/1.10
gig0/1.20
and I create an ACL which permits all IP traffic and apply it on gi0/1 inbound
then I create an ACL which restricts traffic and apply it to gi0/1.10 outbound
the result should be that all traffic flows into the primary interface but is restricted flowing through it to the sub-interface?
So, If I have the following interfaces:
gig0/1
gig0/1.10
gig0/1.20
and I create an ACL which permits all IP traffic and apply it on gi0/1 inbound
then I create an ACL which restricts traffic and apply it to gi0/1.10 outbound
the result should be that all traffic flows into the primary interface but is restricted flowing through it to the sub-interface?
No. Think of the ASA as a big box with multiple doors.
From the outside of the box, all doors say "IN"
From the inside of the box, all doors say "OUT"
packets can come in the outside interface, but can't go out the vlan interface
In the example above, "inside" and vlan3 can use FTP, RDP, etc, while users on vlan1 and 2 are restricted to http, https, dns, smtp, etc
These are just examples. Be careful what you wish for and plan it very carefully and don't forget about udp/53 for dns
From the outside of the box, all doors say "IN"
From the inside of the box, all doors say "OUT"
packets can come in the outside interface, but can't go out the vlan interface
In the example above, "inside" and vlan3 can use FTP, RDP, etc, while users on vlan1 and 2 are restricted to http, https, dns, smtp, etc
These are just examples. Be careful what you wish for and plan it very carefully and don't forget about udp/53 for dns
No/Yes.
No to your question "wouldn't this restrict traffic outbound from inside the interface? "
Yes to your last post. We must have cross-posted at the same time.
No to your question "wouldn't this restrict traffic outbound from inside the interface? "
Yes to your last post. We must have cross-posted at the same time.
Active 3 days ago
lrmoore:
Thanks for the replies. So I understand correctly I described applying the ACL's correctly to achieve what I wish to accomplish, correct?
Thanks for the replies. So I understand correctly I described applying the ACL's correctly to achieve what I wish to accomplish, correct?
Featured Post
Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Originally, this post was published on Monitis Blog, you can check it
here
.
It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
- Web Development
- Networking
- Web Development Software
- Monitis
- IT Administration
- *Automation, *DevOps
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month5 days, 6 hours left to enroll
670 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.