Solved

Creating Access list rule on ASA5510 using a domain name

Posted on 2009-03-30
2
2,412 Views
Last Modified: 2012-05-06
I am needing to allow our Symantec AV Server through our ASA 5510 to download updates.  I am only wanting to allow the server out to the symantec site(s).  I contacted Symantec to get a list of IP Addresses they use for their definition downloads.  Symantec indicated they reference a domainname/url and they don't have a list of IP's to give out.  They indicated I only need to reference liveupdate.symantec.com in our firewall and it will work.  How do I create an access-list rule in the ASA to reference liveupdate.symantec.com?
0
Comment
Question by:angie_lynn
2 Comments
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 100 total points
ID: 24024124
hi,

such feature would have been great but i'm afraid I've never heard about it. on the asa you should allow ports 80, 21 and 443 (http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002041115083313) from your AV Server to any destination in outside and you shouldn't have any problems with the update.
or try this solution with LUAU http://www.symantec.com/connect/forums/liveupdate-behind-firewall 
0
 
LVL 3

Accepted Solution

by:
FWeston earned 400 total points
ID: 24029288
Unfortunately, I don't think PIX/ASA support what you're trying to do.  The liveupdate site looks like it's set up in a round-robin DNS configuration, so I'll list the following options in the order of most secure to least secure:

1) add access-lists permitting your internal AV server to access tcp ports 80/21/443 on the six IPs below
2) add a single access-list permitting your internal AV server to access tcp ports 80/21/443 on the 97.65.135.0/24 network
3) add a single access-list permitting your internal AV server to access tcp ports 80/21/443 on any host

Option 2 is probably a pretty safe option that won't require you to update ACLs every month.

FYI - the IP addresses I currently see for liveupdate.symantec.com are:
97.65.135.138, 97.65.135.154, 97.65.135.168, 97.65.135.145, 97.65.135.162, and 97.65.135.178
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is this QoS Correct on this  CISCO 3825 Router 1 33
Cisco NBAR 6 31
Issue with seeing default gateway on ASA 5506 firewall 4 33
Using VLAN Interface in ASA 5 21
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now