ASA Internet Filtering

Unanswered Question
Apr 7th, 2008

I'm looking to lock down our outbound internet access list, our previous admin set up the outbound list on the firewalls with an ip any any rule, now we have to lock it down. Other then asking people what ports they need open to what IP's, how do you guys recommend going through and getting a list of ports I need open. I have all the syslogs and I've been going through it manualy gathering ports...but it seems like such a tedious, unreliable task since I know I'll miss alot.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rick Morris Mon, 04/07/2008 - 10:04

The only way to really know is to get everyone together and find out what apps run on what ports. Then create object groups and add the ports as you need them. In the object group you just add the ports and it does nothing to your ACL you apply. It just adds the additional ports to the ACL via the object group

niro@optonline.net Mon, 04/07/2008 - 10:59

Yea I was kind of afraid that's the only answer...that's basically what I've been doing, I was just hoping someone knew of some easier way. :)

Rick Morris Tue, 04/08/2008 - 05:14

good or bad

I would start with general port use.

Create a temporary grouping of ports you know are in use.

You can get a sniff of traffic using ethereal or something like that which is free and just capture some traffic and parse through it.

Then add in what you believe you need.

One way to find out if a port is needed is to put up a ACL and find out who yells. Not always easy but a guarentee to find what you need.

If you do this I would check to see if ASA's can do object groups. when creating an object group and need to make changes you affect the object group only and it changes the ACL for you. When adding new ports it is very easy and removing them is just as easy.

PAUL TRIVINO Mon, 04/07/2008 - 14:29

Might want to set up NBAR protocol discovery to see what is running now. That will make the analysis easier at least, even if you have to stick an NBAR-enabled router in the link as a temporary measure. Search CCO for NBAR and you should find info.

HTH

Paul

gefuchs@highlig... Thu, 04/10/2008 - 09:35

I just went through this exercise, jumping through the PCI hoops.

I added the known ports first, then added a "log" to the permit any any to see what was left going out.

Sending the logs to Kiwi syslog server and a little filtering helped to see what I needed to open up.

Greg

Actions

This Discussion