?
Solved

Cisco 5505 outbound security

Posted on 2010-03-31
12
Medium Priority
?
631 Views
Last Modified: 2012-05-09
I have a Cisco ASA 5505 and I want to configure it to miminize workstations on my network to use http and https for outbound traffic. Is a access-list needed?
0
Comment
Question by:henjohn1520
  • 7
  • 5
12 Comments
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 29298585
Yes. So you only want to allow HTTP/HTTPS outbound traffic only?

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 29299670
If the answer to my question is this then you want your ACLs setup accordingly:

access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_restricted deny ip 192.168.1.0 255.255.255.0 any
access-list inside_out_restricted permit ip any any
access-group inside_out_restricted in interface inside

Something like the above. Of course you use your private subnet.

MO
0
 

Author Comment

by:henjohn1520
ID: 29299799
What if I wanted to exclude a few computers from the access-list to allow access to any outbound port? Is that possible?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 16

Expert Comment

by:Michael Ortega
ID: 29346441
Yes.

access-list inside_out_unrestricted extended permit ip 192.168.1.50 255.255.255.255 any
access-group inside_out_unrestricted in interface inside
0
 

Author Comment

by:henjohn1520
ID: 30163875
Can you explain more in details what this will do? How much will this affect network traffic?
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 30165204
All this is going to do is give whatever device has 192.168.1.50 as an ip address unrestricted outgoing access.

MO
0
 

Author Comment

by:henjohn1520
ID: 30213985
OK. What the configuration the access lists below? What type of affect will they have on the outbound network traffic?


access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https

0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 30214914
It will allow all devices on the 192.168.1.0 subnet to have only http/https access except for those hosts that are specified under a different policy with unfiltered outbound access like the acl I specified earlier.

So if you want to lock down all outbound traffic on the 192.168.1.0 subnet with just the http/https, and also allow exceptions to that ACL by having certain ip's on the same subnet you use both acls - the one you have above and the example I specified in an earlier comment.

Something like the below:

access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_unrestricted extended permit ip <host computer IP> 255.255.255.255 any
access-group inside_out_restricted in interface inside
access-group inside_out_unrestricted in interface inside

If you're going to allow unrestricted access from a specific host IP I would definitely setup a DHCP reservation for that host to ensure that it gets the same IP on DHCP lease expiration. Either do that or simply give it a static IP.

MO
0
 

Author Comment

by:henjohn1520
ID: 30215191
I configure the access list per your example and I used public addresses from my network. This morning I walk into work and catch someone watching live golf from the internet. Will the access list permit or deny streaming of video from the internet? I just want a little more info on what will be allowed through the firewall and what will not be allowed through the firewall with this type of configuration.
0
 
LVL 16

Accepted Solution

by:
Michael Ortega earned 2000 total points
ID: 30216039
Can you post a copy of your config? It's likely that you still have the default permit ACL to allow all outbound traffic.

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 30220681
Try extended acl:

access-list inside_out_restricted extended permit tcp 192.168.1.0 255.255.255.0 host any eq http
access-list inside_out_restricted extended permit tcp 192.168.1.0 255.255.255.0 host any eq https
access-list inside_out_unrestricted extended permit ip <host computer IP> 255.255.255.255 any
access-group inside_out_restricted in interface inside
access-group inside_out_unrestricted in interface inside

Also I just found a link that can help explain how ACL's and Access-groups work if you're interested:

http://www.buzzle.com/articles/how-to-configure-access-control-lists-on-a-cisco-asa-5500-firewall.html

MO
0
 

Author Closing Comment

by:henjohn1520
ID: 31709740
Thanks for you help.
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question