Solved

Creating Access list rule on ASA5510 using a domain name

Posted on 2009-03-30
2
2,449 Views
Last Modified: 2012-05-06
I am needing to allow our Symantec AV Server through our ASA 5510 to download updates.  I am only wanting to allow the server out to the symantec site(s).  I contacted Symantec to get a list of IP Addresses they use for their definition downloads.  Symantec indicated they reference a domainname/url and they don't have a list of IP's to give out.  They indicated I only need to reference liveupdate.symantec.com in our firewall and it will work.  How do I create an access-list rule in the ASA to reference liveupdate.symantec.com?
0
Comment
Question by:angie_lynn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 100 total points
ID: 24024124
hi,

such feature would have been great but i'm afraid I've never heard about it. on the asa you should allow ports 80, 21 and 443 (http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002041115083313) from your AV Server to any destination in outside and you shouldn't have any problems with the update.
or try this solution with LUAU http://www.symantec.com/connect/forums/liveupdate-behind-firewall 
0
 
LVL 3

Accepted Solution

by:
FWeston earned 400 total points
ID: 24029288
Unfortunately, I don't think PIX/ASA support what you're trying to do.  The liveupdate site looks like it's set up in a round-robin DNS configuration, so I'll list the following options in the order of most secure to least secure:

1) add access-lists permitting your internal AV server to access tcp ports 80/21/443 on the six IPs below
2) add a single access-list permitting your internal AV server to access tcp ports 80/21/443 on the 97.65.135.0/24 network
3) add a single access-list permitting your internal AV server to access tcp ports 80/21/443 on any host

Option 2 is probably a pretty safe option that won't require you to update ACLs every month.

FYI - the IP addresses I currently see for liveupdate.symantec.com are:
97.65.135.138, 97.65.135.154, 97.65.135.168, 97.65.135.145, 97.65.135.162, and 97.65.135.178
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question