Solved

Port Block access-list

Posted on 2010-11-30
1
1,078 Views
Last Modified: 2012-05-10
i have asa firewall...please see attached doc about  my asa configuration...i allow http for isa server ....then the users internet browsing through isa server proxy..but some users installing 3rd part proxy and accessing blocked sites..like ultrasurf,hotshield, etc....so how to block this proxys and how to block this proxys ports?? how to create acccess list for clock this proxys...ultrasurf using port like 9996 and etc....i dont know other proxys using port address....please help me...

asa.TXT
0
Comment
Question by:nisartlaa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 34239336
Your ACL applied to the inside interfaces seem to block what you need them to block.    

For the whole subnet, I see only,
tcp 2000
udp 2000
udp 2001
udp 56543
udp 62296
tcp smtp
tcp pop3
tcp imap4
icmp

You also have the AllowAll group with full access:
access-list AclIn extended permit ip object-group AllowAll any


So 1st question, is this user in the AllowAll group?  

Next, you have to be aware that you can create tunnel outbound to another proxy on any port .    If you allow pop3 outbound, an expert user can create a tunnel to an outside host and proxy http requests across it.    The only way to keep this from happening is to block all outbound traffic unless it goes through your in house proxy.  

If you know the IP's of the offending proxy sites, you can create an object-group called 'blacklist' and add a "deny ip object-group blacklist any" to block traffic to hosts in that list....  




0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question