Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Port Block access-list

Posted on 2010-11-30
1
Medium Priority
?
1,090 Views
Last Modified: 2012-05-10
i have asa firewall...please see attached doc about  my asa configuration...i allow http for isa server ....then the users internet browsing through isa server proxy..but some users installing 3rd part proxy and accessing blocked sites..like ultrasurf,hotshield, etc....so how to block this proxys and how to block this proxys ports?? how to create acccess list for clock this proxys...ultrasurf using port like 9996 and etc....i dont know other proxys using port address....please help me...

asa.TXT
0
Comment
Question by:nisartlaa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 33

Accepted Solution

by:
MikeKane earned 2000 total points
ID: 34239336
Your ACL applied to the inside interfaces seem to block what you need them to block.    

For the whole subnet, I see only,
tcp 2000
udp 2000
udp 2001
udp 56543
udp 62296
tcp smtp
tcp pop3
tcp imap4
icmp

You also have the AllowAll group with full access:
access-list AclIn extended permit ip object-group AllowAll any


So 1st question, is this user in the AllowAll group?  

Next, you have to be aware that you can create tunnel outbound to another proxy on any port .    If you allow pop3 outbound, an expert user can create a tunnel to an outside host and proxy http requests across it.    The only way to keep this from happening is to block all outbound traffic unless it goes through your in house proxy.  

If you know the IP's of the offending proxy sites, you can create an object-group called 'blacklist' and add a "deny ip object-group blacklist any" to block traffic to hosts in that list....  




0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question