Solved

Port Block access-list

Posted on 2010-11-30
1
1,074 Views
Last Modified: 2012-05-10
i have asa firewall...please see attached doc about  my asa configuration...i allow http for isa server ....then the users internet browsing through isa server proxy..but some users installing 3rd part proxy and accessing blocked sites..like ultrasurf,hotshield, etc....so how to block this proxys and how to block this proxys ports?? how to create acccess list for clock this proxys...ultrasurf using port like 9996 and etc....i dont know other proxys using port address....please help me...

asa.TXT
0
Comment
Question by:nisartlaa
1 Comment
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 34239336
Your ACL applied to the inside interfaces seem to block what you need them to block.    

For the whole subnet, I see only,
tcp 2000
udp 2000
udp 2001
udp 56543
udp 62296
tcp smtp
tcp pop3
tcp imap4
icmp

You also have the AllowAll group with full access:
access-list AclIn extended permit ip object-group AllowAll any


So 1st question, is this user in the AllowAll group?  

Next, you have to be aware that you can create tunnel outbound to another proxy on any port .    If you allow pop3 outbound, an expert user can create a tunnel to an outside host and proxy http requests across it.    The only way to keep this from happening is to block all outbound traffic unless it goes through your in house proxy.  

If you know the IP's of the offending proxy sites, you can create an object-group called 'blacklist' and add a "deny ip object-group blacklist any" to block traffic to hosts in that list....  




0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question