Solution (ASA 5505)

Answered Question
Sep 27th, 2008

Hi, We have mutiple ASA 5505 which are installed on mutiple sites and all are connected via STS Tunnel. To enhancement the security, I have few below queries and need to have your reviews:-

1) In current scenario all default zone (Inside and DMZ) are in a same V-lan and we have allowed IP protocol among STS Tunnels which means we can access any remote IP from any machine.

Now I am going to make a different V-lan for our Depart (NOC) and want only from this V-lan all machine to be accessible and from Inside Zone only 80 and 443 port to be allowed for remote networks. Network scenario will be like that :

1) V-lan 100 (NOC) -- Access Everything

2) Inside V-lan --- Aceess 443,80 port for remote sites which are connected via STS.

3) NOC have full access of Internet but Inside Zone users have access of only ICQ and Skype and all other web traffic to be blocked (Note : The Remote machines (Tunnel Sites) shd be opened of port 80,443 from Inside Zone). Kindly suggest one more thing if i need to allow any inside machine to allow internet then what kinf of settings is required for this. (I wud allow the internet via IP and Authendication)

Thanks!! Please Advice

Please Advice.

I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 8 years 2 months ago

ray the thing is

with ACL u r working on L3/L4 while with MPF u work on L7 and with application layer u can have more flixibilty

for example in ACL u can permit or deny http traffic while with mpf u can only deny any undesired content in the http header

i would say try both ways and see which one will help u more

maybe u need both each one to do part of the job at least u have the idea now

good luck

if helpful Rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marwan ALshawi Sun, 09/28/2008 - 05:34

from my understanding to ur requirements

u need first to disable any routing between any vlan if u have this before the traffic reach the firewall

like if u have a router or L3 switch dose the intervaln routing between vlans u need to disable this i mean between the noc and inside

put each vlan of thos in diffrent interface or subinterface in ASA

now in ur VPN setup u need to re design the interresting traffic ACL which is the ACL that you refer to in ur crypto map in STS

make permit of rource of noc vlan to remote site network any ip traffic

and make permit for traffic srourced fron inside to remote site that is port 80/443

now this traffic only will breing up the vpn tunnel

for more security u can make ACLs on the outside interfce as well

for internet users to be authenticated in thier outbound internet access u can use CUT-through proxy have a look at the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

good luck

if helpful Rate

ray_stone Sun, 09/28/2008 - 05:48

Hi, thanks for your reply.

First I would know which of the software is using while configuring the user settings for allowing or denying the internate usage in the above link and do I need to have any license to use that software.

Well I would like to know another thing, I want to give access of Skype and ICQ messanger to all entire users except internet browsing. And is it possible that I could permit few IP to access the internet by making any access-list or MPF. Please Advice as rest of the settings I can do. Thanks

Marwan ALshawi Mon, 09/29/2008 - 00:51

ok

in the above link the authentication were thorugh external database on cisco ACS whihc should be bought from cisco but if u have small number of usernames u can use local dtata base on the ASA instead of puting the AAA group use the local command

and creat manule username and password

like

username [usrname] password [password]

and this why u can use the cut-through authentication against local usernames

even in this case u cam make the internat access based on user names instead of IP with ACL

u can permit internet access for spisific users based in thier IPs by useing ACL on the inside interface in the inbound direction awwlon http,https for those IPs and deny others

for messenger it is quite complicated if u wanna only deny the messenge use it is easy by using MPF

what i suggest u is have a look at the following link it is to block messenger but try to revers it

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

good luck

if helpful Rate

ray_stone Mon, 09/29/2008 - 01:02

Agreed, but we have high number of users so wht do you suggest shd i go with Proxy.. if yes can you recommanded any free proxy server if you know.

Second, I want to allow ICQ and SKYPE messanger for all users. My meant that by default all users ICQ and SKYPE traffic must be allowed by the FW without any blocking and rest of the things must be blocked like www, https or etc and for givivg the access of rest of the things I want to allow only few users by doing few settings on FW as u adviced or can go with Proxy. Please advice!!

Marwan ALshawi Mon, 09/29/2008 - 22:13

try the following

access-list 100 permit tcp/udp source any eq [tcp/udp messenger port number]

access-lsit 100 permit tcp source [IPs for who u want them to use internet] any eq http/https

if helpful Rate

ray_stone Mon, 09/29/2008 - 23:21

Thanks!!! Is it possible through MFP. Please suggest...which one option is better to implement.

Correct Answer
Marwan ALshawi Tue, 09/30/2008 - 05:12

ray the thing is

with ACL u r working on L3/L4 while with MPF u work on L7 and with application layer u can have more flixibilty

for example in ACL u can permit or deny http traffic while with mpf u can only deny any undesired content in the http header

i would say try both ways and see which one will help u more

maybe u need both each one to do part of the job at least u have the idea now

good luck

if helpful Rate

Actions

This Discussion