henjohn1520
asked on
Cisco 5505 outbound security
I have a Cisco ASA 5505 and I want to configure it to miminize workstations on my network to use http and https for outbound traffic. Is a access-list needed?
If the answer to my question is this then you want your ACLs setup accordingly:
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_restricted deny ip 192.168.1.0 255.255.255.0 any
access-list inside_out_restricted permit ip any any
access-group inside_out_restricted in interface inside
Something like the above. Of course you use your private subnet.
MO
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_restricted deny ip 192.168.1.0 255.255.255.0 any
access-list inside_out_restricted permit ip any any
access-group inside_out_restricted in interface inside
Something like the above. Of course you use your private subnet.
MO
ASKER
What if I wanted to exclude a few computers from the access-list to allow access to any outbound port? Is that possible?
Yes.
access-list inside_out_unrestricted extended permit ip 192.168.1.50 255.255.255.255 any
access-group inside_out_unrestricted in interface inside
access-list inside_out_unrestricted extended permit ip 192.168.1.50 255.255.255.255 any
access-group inside_out_unrestricted in interface inside
ASKER
Can you explain more in details what this will do? How much will this affect network traffic?
All this is going to do is give whatever device has 192.168.1.50 as an ip address unrestricted outgoing access.
MO
MO
ASKER
OK. What the configuration the access lists below? What type of affect will they have on the outbound network traffic?
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
It will allow all devices on the 192.168.1.0 subnet to have only http/https access except for those hosts that are specified under a different policy with unfiltered outbound access like the acl I specified earlier.
So if you want to lock down all outbound traffic on the 192.168.1.0 subnet with just the http/https, and also allow exceptions to that ACL by having certain ip's on the same subnet you use both acls - the one you have above and the example I specified in an earlier comment.
Something like the below:
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_unrestricted extended permit ip <host computer IP> 255.255.255.255 any
access-group inside_out_restricted in interface inside
access-group inside_out_unrestricted in interface inside
If you're going to allow unrestricted access from a specific host IP I would definitely setup a DHCP reservation for that host to ensure that it gets the same IP on DHCP lease expiration. Either do that or simply give it a static IP.
MO
So if you want to lock down all outbound traffic on the 192.168.1.0 subnet with just the http/https, and also allow exceptions to that ACL by having certain ip's on the same subnet you use both acls - the one you have above and the example I specified in an earlier comment.
Something like the below:
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_unrestricted extended permit ip <host computer IP> 255.255.255.255 any
access-group inside_out_restricted in interface inside
access-group inside_out_unrestricted in interface inside
If you're going to allow unrestricted access from a specific host IP I would definitely setup a DHCP reservation for that host to ensure that it gets the same IP on DHCP lease expiration. Either do that or simply give it a static IP.
MO
ASKER
I configure the access list per your example and I used public addresses from my network. This morning I walk into work and catch someone watching live golf from the internet. Will the access list permit or deny streaming of video from the internet? I just want a little more info on what will be allowed through the firewall and what will not be allowed through the firewall with this type of configuration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try extended acl:
access-list inside_out_restricted extended permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted extended permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_unrestricted extended permit ip <host computer IP> 255.255.255.255 any
access-group inside_out_restricted in interface inside
access-group inside_out_unrestricted in interface inside
Also I just found a link that can help explain how ACL's and Access-groups work if you're interested:
http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html
MO
access-list inside_out_restricted extended permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted extended permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_unrestricted extended permit ip <host computer IP> 255.255.255.255 any
access-group inside_out_restricted in interface inside
access-group inside_out_unrestricted in interface inside
Also I just found a link that can help explain how ACL's and Access-groups work if you're interested:
http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html
MO
ASKER
Thanks for you help.
MO