Link to home
Start Free TrialLog in
Avatar of axl13
axl13

asked on

Where to put access list

I am having trouble putting a set of accesslist on my ASA5520. We are replaceing an  aventail box with a asa for clientless ssl vpn connection. In the current set up users pass an asa to gett to the aventail box and once they authenticat the go back threw the asa to get to network resources. We only permit a few rules to get to our asa. The new set up only uses the asa, which authenticates the ssl users. Now I need to put these rules to only permit to these resources.
access-list inside_authentication extended permit udp any host xxx.xxx.231.62 eq ntp
access-list inside_authentication extended permit tcp any host xxx.xxx58.140 eq https
access-list inside_authentication extended permit udp any host xxx.xxx96.1 eq domain
access-list inside_authentication extended permit udp any host xxx.xxx96.15 eq domain
access-list inside_authentication extended permit tcp any host xxx.xxx4.37 eq https
access-list inside_authentication extended permit tcp any xxx.xxx4.64 255.255.255.192 eq lotusnotes
access-list inside_authentication extended permit tcp any xxx.xxx4.64 255.255.255.192 eq www
access-list inside_authentication extended permit tcp any host xxx.xxx68.59 eq www
access-list inside_authentication extended permit udp any host xxx.xxx4.7 eq radius
access-list inside_authentication extended permit tcp any host xxx.xxx4.2 eq www
access-list inside_authentication extended permit tcp any host xxx.xxx.31.50 eq www
access-list inside_authentication extended permit tcp any host xxx.xxx.31.51 eq www
access-list inside_authentication extended permit tcp any host xxx.xxx6.2 eq https
access-list inside_authentication extended permit udp any host xxx.xxx.84 eq radius
access-list inside_authentication extended permit tcp any host xxx.xxx.0.44 eq https
access-list inside_authentication extended permit tcp any xxx.xxx.112 255.255.255.240 eq www
access-list inside_authentication extended permit tcp any host xxx.xxx6.4 eq https
access-list inside_authentication extended permit tcp any host xxx.xxx4.10 eq www
access-list inside_authentication extended permit tcp any host 192.135.176.8 eq https
access-list inside_authentication extended permit tcp any host xxx.xxx.107 eq www
access-list inside_authentication extended permit tcp any host xxx.xxx.107 eq https
access-list inside_authentication extended permit tcp any host xxx.xxx.107 range 7008 7009
access-list inside_authentication extended permit tcp any host xxx.xxx4.2 eq https
access-list inside_authentication extended permit tcp any host xxx.xxx4.45 eq https
access-list inside_authentication extended permit udp any host xxx.xxx.231.8 eq syslog
access-list inside_authentication extended permit tcp any host xxx.xxx4.121 eq 4001
access-list inside_authentication extended permit tcp any host xxx.xxx4.142 eq www
access-list inside_authentication extended permit tcp any host xxx.xxx4.142 eq https
access-list inside_authentication extended permit tcp any host xxx.xxx4.142 range 7008 7009
access-list inside_authentication extended permit tcp any host xxx.xxx.17 eq www
access-list inside_authentication extended permit tcp any host xxx.xxx.17 eq https
access-list inside_authentication extended permit tcp any host xxx.xxx.17 range 7008 7009
access-list inside_authentication extended permit tcp any host xxx.xxx4.22 eq 9090
access-list inside_authentication extended permit tcp any host xxx.xxx4.24 eq 9090

Open in new window

Avatar of MikeKane
MikeKane
Flag of United States of America image

I would setup 2 ACLS.  One as a no nat acl from the inside range to the IP local pool range.    2nd ACL would be an allow from an internal host to the IP local pool range.   This would restrict the iplocal pool to only those hosts specified.    This works if the access-group  uses 'in interface inside' as the direction.    You could also build the same ACL using ip local pool as source and inside host as destination and use an access-group with 'out interface inside'.  


Avatar of axl13
axl13

ASKER

We are not using any ip local pool range and I do not believe we are nating. I tried the second, but I was still ablt to get to our NAS, which we should not be able to... I have attacted the running config
webvpn.TXT
ASKER CERTIFIED SOLUTION
Avatar of MikeKane
MikeKane
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of axl13

ASKER

looks like we cannot use udp for the filter??? Is there a work around since I permit a few udp, ntp radius, syslog, and domain???
I think that goes beyond what the clientless webvpn portal can do....     Have you considered using the anyconnect client instead?   It can be set to auto load from the web site and you get a full visibility into the network with an ip pool that can be controlled with ACLs....  
Avatar of axl13

ASKER

It work, thanks