Solved

Prepare for egress filtering on Cisco ASA

Posted on 2014-12-19
3
324 Views
Last Modified: 2015-12-22
We currently have a Cisco ASA running software version 9.1.  We need to implement egress filtering.  I know some of the applications/ports that need to be allowed out of our network.  However, I don't want to implement egress filtering and block outbound traffic that I'm not aware of that is required for business.

Is there an easy way to find out what some of our traffic patterns are on the firewall so I can get an idea of what outbound ports might currently be used?
0
Comment
Question by:RickAstley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 3

Expert Comment

by:vipelite
ID: 40509751
Just get a WebProxy and filter through that. You don't want to use ASA for web filtering. For inbound use ASA.
0
 
LVL 9

Accepted Solution

by:
Donboo earned 500 total points
ID: 40511588
On the ASA there is no easy way to do this. There are no monitoring mode on ACLs. if you want to know the traffic patterns without blocking i´d suggest you use CX or Firepower in monitoring mode.

An ACL with permit IP any any log sent to a syslog will probably generate too much info....
0
 

Expert Comment

by:FlatheadIT
ID: 41381574
You can monitor egress traffic using the syslog or you can setup a filter to watch outbound traffic - only for a very small organization (ASDM.)  However, without syslog this will be cumbersome.  

That said, if there are known sites you do not wish your users to hit, there are tools available to block malware (Botnet filter for one) and access to sites your organization deems unacceptable.  Here are some options in a CISCO environment:

Sourcefire will do this type of monitoring/blocking - as will PRSM - this is not easy with PRSM and it is even more cumbersome with an active/standby pair setup.  I have not used firepower (sourcefire) for this only PRSM.  But it works.  If you wish to take it one step further, setup CISCO CDA (this is an OVA vmware virtual appliance - formerly this was an AD agent) then you can setup AD groups with rules to block access to content by type and by url for AD groups - this comes in handy if you have a need for access to certain sites for Law enforcement etc.  that would be blocked for other departments in your organization.  *** Warning here - CISCO Licenses and modules may be required for this. ***  Make sure your vendor is aware of the licensing on CISCO.  It is often the case where the cost is not the hardware - it is the licensing and smartnet.
FYI end of life on PRSM is August 2018 - so don't go with PRSM - you should use sourcefire.  Lesson learned here.

You can also block outgoing traffic via IP from an ASA (For example - you wish to block the country of China - you can get the list of IP's in China, create a network object group, then use a a text file via cli or command line in ASDM (Multiple line) to place them in the firewall.  You can then add a rule to block outgoing traffic to those IP addresses (ingress and egress with rules on the firewall.)
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Make the most of your online learning experience.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question