ASA Internet Filtering

Unanswered Question

I'm looking to lock down our outbound internet access list, our previous admin set up the outbound list on the firewalls with an ip any any rule, now we have to lock it down. Other then asking people what ports they need open to what IP's, how do you guys recommend going through and getting a list of ports I need open. I have all the syslogs and I've been going through it manualy gathering ports...but it seems like such a tedious, unreliable task since I know I'll miss alot.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rick Morris Mon, 04/07/2008 - 10:04
User Badges:
  • Silver, 250 points or more

The only way to really know is to get everyone together and find out what apps run on what ports. Then create object groups and add the ports as you need them. In the object group you just add the ports and it does nothing to your ACL you apply. It just adds the additional ports to the ACL via the object group

Rick Morris Tue, 04/08/2008 - 05:14
User Badges:
  • Silver, 250 points or more

good or bad

I would start with general port use.

Create a temporary grouping of ports you know are in use.

You can get a sniff of traffic using ethereal or something like that which is free and just capture some traffic and parse through it.

Then add in what you believe you need.

One way to find out if a port is needed is to put up a ACL and find out who yells. Not always easy but a guarentee to find what you need.

If you do this I would check to see if ASA's can do object groups. when creating an object group and need to make changes you affect the object group only and it changes the ACL for you. When adding new ports it is very easy and removing them is just as easy.

PAUL TRIVINO Mon, 04/07/2008 - 14:29
User Badges:
  • Bronze, 100 points or more

Might want to set up NBAR protocol discovery to see what is running now. That will make the analysis easier at least, even if you have to stick an NBAR-enabled router in the link as a temporary measure. Search CCO for NBAR and you should find info.




This Discussion