• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 373
  • Last Modified:

How to figure out what ACL rules to add to wide open ASA

At the moment there are some new cisco ASA's in a network that at the end of the every ACL have a permit, "any any" so nothing gets blocked.

I am now tasked with locking it down. Is there a way I can see what connections have been used, to what IP, port, etc so I can create rules off those?

This is a production network, so I can't just lock it down, then try to figure out what to open back up.
0
LIBBB
Asked:
LIBBB
  • 2
  • 2
1 Solution
 
fgasimzadeCommented:
You can use ASDM with logging enabled to see connections in real time
0
 
Ernie BeekCommented:
Do you only need to lock down outside-in connections? Or do they also want you to limit outgoing traffic?
0
 
LIBBBAuthor Commented:
Lock down outside-in connections.
0
 
Ernie BeekCommented:
In that case you should now what connections are needed from the outside to the inside ;)

Simply put, all traffic originated from the inside is allowed back in (return traffic). All other traffic, initiated from the outside, is allowed by ACL BUT....... There sould also be a static or nat command (depending on the ASA OS version) to (port)map the public IP to an internal IP.
So if you have a look at the static or nat statements (again, version dependant) you should be able to see what you need to allow. With a bit of luck they already allowed those connections through before the 'any any'.

You could always post a (sanitized) config so we can have a look.
0
 
LIBBBAuthor Commented:
Well I guess i"m goign to have to keep the real time connection log going for a while, and just note the connections through out the day.

Its a pretty big network. The sources could be coming from many different /24, to many different services/ports.

Just suprised there's not a better way to do it.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now