Solved

Where to put access list

Posted on 2009-07-01
6
463 Views
Last Modified: 2012-05-07
I am having trouble putting a set of accesslist on my ASA5520. We are replaceing an  aventail box with a asa for clientless ssl vpn connection. In the current set up users pass an asa to gett to the aventail box and once they authenticat the go back threw the asa to get to network resources. We only permit a few rules to get to our asa. The new set up only uses the asa, which authenticates the ssl users. Now I need to put these rules to only permit to these resources.
access-list inside_authentication extended permit udp any host xxx.xxx.231.62 eq ntp

access-list inside_authentication extended permit tcp any host xxx.xxx58.140 eq https

access-list inside_authentication extended permit udp any host xxx.xxx96.1 eq domain

access-list inside_authentication extended permit udp any host xxx.xxx96.15 eq domain

access-list inside_authentication extended permit tcp any host xxx.xxx4.37 eq https

access-list inside_authentication extended permit tcp any xxx.xxx4.64 255.255.255.192 eq lotusnotes

access-list inside_authentication extended permit tcp any xxx.xxx4.64 255.255.255.192 eq www

access-list inside_authentication extended permit tcp any host xxx.xxx68.59 eq www

access-list inside_authentication extended permit udp any host xxx.xxx4.7 eq radius

access-list inside_authentication extended permit tcp any host xxx.xxx4.2 eq www

access-list inside_authentication extended permit tcp any host xxx.xxx.31.50 eq www

access-list inside_authentication extended permit tcp any host xxx.xxx.31.51 eq www

access-list inside_authentication extended permit tcp any host xxx.xxx6.2 eq https

access-list inside_authentication extended permit udp any host xxx.xxx.84 eq radius

access-list inside_authentication extended permit tcp any host xxx.xxx.0.44 eq https

access-list inside_authentication extended permit tcp any xxx.xxx.112 255.255.255.240 eq www

access-list inside_authentication extended permit tcp any host xxx.xxx6.4 eq https

access-list inside_authentication extended permit tcp any host xxx.xxx4.10 eq www

access-list inside_authentication extended permit tcp any host 192.135.176.8 eq https

access-list inside_authentication extended permit tcp any host xxx.xxx.107 eq www

access-list inside_authentication extended permit tcp any host xxx.xxx.107 eq https

access-list inside_authentication extended permit tcp any host xxx.xxx.107 range 7008 7009

access-list inside_authentication extended permit tcp any host xxx.xxx4.2 eq https

access-list inside_authentication extended permit tcp any host xxx.xxx4.45 eq https

access-list inside_authentication extended permit udp any host xxx.xxx.231.8 eq syslog

access-list inside_authentication extended permit tcp any host xxx.xxx4.121 eq 4001

access-list inside_authentication extended permit tcp any host xxx.xxx4.142 eq www

access-list inside_authentication extended permit tcp any host xxx.xxx4.142 eq https

access-list inside_authentication extended permit tcp any host xxx.xxx4.142 range 7008 7009

access-list inside_authentication extended permit tcp any host xxx.xxx.17 eq www

access-list inside_authentication extended permit tcp any host xxx.xxx.17 eq https

access-list inside_authentication extended permit tcp any host xxx.xxx.17 range 7008 7009

access-list inside_authentication extended permit tcp any host xxx.xxx4.22 eq 9090

access-list inside_authentication extended permit tcp any host xxx.xxx4.24 eq 9090

Open in new window

0
Comment
Question by:axl13
  • 3
  • 3
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24754217
I would setup 2 ACLS.  One as a no nat acl from the inside range to the IP local pool range.    2nd ACL would be an allow from an internal host to the IP local pool range.   This would restrict the iplocal pool to only those hosts specified.    This works if the access-group  uses 'in interface inside' as the direction.    You could also build the same ACL using ip local pool as source and inside host as destination and use an access-group with 'out interface inside'.  


0
 

Author Comment

by:axl13
ID: 24754372
We are not using any ip local pool range and I do not believe we are nating. I tried the second, but I was still ablt to get to our NAS, which we should not be able to... I have attacted the running config
webvpn.TXT
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 24763961
Ah - I'm sorry - it didn't click you were using clientless SSL ...   my bad.  

What you want then is a Web Access Control List  applied to the sessions.  

Start with the ACL - something like:
access-list TEST-WEBVPN-ACL webtype permit url any log default

That will allow anything, but you would add in the permitted URL's to the inside and then finish with a blanket Deny all at the bottom.  
Here's the doc on how to build the list: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/obman.html

Next you apply the ACL to the SSL VPN using group policy, something like:
group-policy TEST-WEBVPN-Policy internal
group-policy TEST-WEBVPN-Policy attributes
 webvpn
  filter value TEST-WEBVPN-ACL


That's pretty much it.    You just need to build your ACL with permits and denys then apply it to your code here:
group-policy SSLWEBVPN attributes
 vpn-tunnel-protocol l2tp-ipsec webvpn
 webvpn
  url-list value Shortcuts
  customization value SSLWebLogin
  FILTER VALULE <name of web ACL>  


Here's another reference just in case:
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/pobjpage.html#wp1195946



Hope that helps.



0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:axl13
ID: 24764527
looks like we cannot use udp for the filter??? Is there a work around since I permit a few udp, ntp radius, syslog, and domain???
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 24764562
I think that goes beyond what the clientless webvpn portal can do....     Have you considered using the anyconnect client instead?   It can be set to auto load from the web site and you get a full visibility into the network with an ip pool that can be controlled with ACLs....  
0
 

Author Closing Comment

by:axl13
ID: 31598752
It work, thanks
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now