How to figure out what ACL rules to add to wide open ASA

At the moment there are some new cisco ASA's in a network that at the end of the every ACL have a permit, "any any" so nothing gets blocked.

I am now tasked with locking it down. Is there a way I can see what connections have been used, to what IP, port, etc so I can create rules off those?

This is a production network, so I can't just lock it down, then try to figure out what to open back up.
Who is Participating?
Ernie BeekExpertCommented:
In that case you should now what connections are needed from the outside to the inside ;)

Simply put, all traffic originated from the inside is allowed back in (return traffic). All other traffic, initiated from the outside, is allowed by ACL BUT....... There sould also be a static or nat command (depending on the ASA OS version) to (port)map the public IP to an internal IP.
So if you have a look at the static or nat statements (again, version dependant) you should be able to see what you need to allow. With a bit of luck they already allowed those connections through before the 'any any'.

You could always post a (sanitized) config so we can have a look.
You can use ASDM with logging enabled to see connections in real time
Ernie BeekExpertCommented:
Do you only need to lock down outside-in connections? Or do they also want you to limit outgoing traffic?
LIBBBAuthor Commented:
Lock down outside-in connections.
LIBBBAuthor Commented:
Well I guess i"m goign to have to keep the real time connection log going for a while, and just note the connections through out the day.

Its a pretty big network. The sources could be coming from many different /24, to many different services/ports.

Just suprised there's not a better way to do it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.