Solved

Port Block access-list

Posted on 2010-11-30
1
1,077 Views
Last Modified: 2012-05-10
i have asa firewall...please see attached doc about  my asa configuration...i allow http for isa server ....then the users internet browsing through isa server proxy..but some users installing 3rd part proxy and accessing blocked sites..like ultrasurf,hotshield, etc....so how to block this proxys and how to block this proxys ports?? how to create acccess list for clock this proxys...ultrasurf using port like 9996 and etc....i dont know other proxys using port address....please help me...

asa.TXT
0
Comment
Question by:nisartlaa
1 Comment
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 34239336
Your ACL applied to the inside interfaces seem to block what you need them to block.    

For the whole subnet, I see only,
tcp 2000
udp 2000
udp 2001
udp 56543
udp 62296
tcp smtp
tcp pop3
tcp imap4
icmp

You also have the AllowAll group with full access:
access-list AclIn extended permit ip object-group AllowAll any


So 1st question, is this user in the AllowAll group?  

Next, you have to be aware that you can create tunnel outbound to another proxy on any port .    If you allow pop3 outbound, an expert user can create a tunnel to an outside host and proxy http requests across it.    The only way to keep this from happening is to block all outbound traffic unless it goes through your in house proxy.  

If you know the IP's of the offending proxy sites, you can create an object-group called 'blacklist' and add a "deny ip object-group blacklist any" to block traffic to hosts in that list....  




0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question