Cisco 5505 outbound security

I have a Cisco ASA 5505 and I want to configure it to miminize workstations on my network to use http and https for outbound traffic. Is a access-list needed?
henjohn1520Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael OrtegaSales & Systems EngineerCommented:
Yes. So you only want to allow HTTP/HTTPS outbound traffic only?

MO
0
Michael OrtegaSales & Systems EngineerCommented:
If the answer to my question is this then you want your ACLs setup accordingly:

access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_restricted deny ip 192.168.1.0 255.255.255.0 any
access-list inside_out_restricted permit ip any any
access-group inside_out_restricted in interface inside

Something like the above. Of course you use your private subnet.

MO
0
henjohn1520Author Commented:
What if I wanted to exclude a few computers from the access-list to allow access to any outbound port? Is that possible?
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Michael OrtegaSales & Systems EngineerCommented:
Yes.

access-list inside_out_unrestricted extended permit ip 192.168.1.50 255.255.255.255 any
access-group inside_out_unrestricted in interface inside
0
henjohn1520Author Commented:
Can you explain more in details what this will do? How much will this affect network traffic?
0
Michael OrtegaSales & Systems EngineerCommented:
All this is going to do is give whatever device has 192.168.1.50 as an ip address unrestricted outgoing access.

MO
0
henjohn1520Author Commented:
OK. What the configuration the access lists below? What type of affect will they have on the outbound network traffic?


access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https

0
Michael OrtegaSales & Systems EngineerCommented:
It will allow all devices on the 192.168.1.0 subnet to have only http/https access except for those hosts that are specified under a different policy with unfiltered outbound access like the acl I specified earlier.

So if you want to lock down all outbound traffic on the 192.168.1.0 subnet with just the http/https, and also allow exceptions to that ACL by having certain ip's on the same subnet you use both acls - the one you have above and the example I specified in an earlier comment.

Something like the below:

access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_unrestricted extended permit ip <host computer IP> 255.255.255.255 any
access-group inside_out_restricted in interface inside
access-group inside_out_unrestricted in interface inside

If you're going to allow unrestricted access from a specific host IP I would definitely setup a DHCP reservation for that host to ensure that it gets the same IP on DHCP lease expiration. Either do that or simply give it a static IP.

MO
0
henjohn1520Author Commented:
I configure the access list per your example and I used public addresses from my network. This morning I walk into work and catch someone watching live golf from the internet. Will the access list permit or deny streaming of video from the internet? I just want a little more info on what will be allowed through the firewall and what will not be allowed through the firewall with this type of configuration.
0
Michael OrtegaSales & Systems EngineerCommented:
Can you post a copy of your config? It's likely that you still have the default permit ACL to allow all outbound traffic.

MO
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael OrtegaSales & Systems EngineerCommented:
Try extended acl:

access-list inside_out_restricted extended permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted extended permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_unrestricted extended permit ip <host computer IP> 255.255.255.255 any
access-group inside_out_restricted in interface inside
access-group inside_out_unrestricted in interface inside

Also I just found a link that can help explain how ACL's and Access-groups work if you're interested:

http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html

MO
0
henjohn1520Author Commented:
Thanks for you help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.