01-27-2009 01:28 AM - edited 03-11-2019 07:42 AM
Hello
I have an asa 5520 to protect my network
LAN -----> asa5520 -----> internet
I want to allow only 2 servers on my LAN to access their Internet to update Windows and MacAfee
All other traffic from other PCs on the LAN to the outside must be blocked and all traffic leaving the 2 servers to outside(except for Windows and MacAfee update) must be blocked
Server1 192.168.1.2/24
Server2 192.168.1.3/24
Inside 192.168.1.1/24
Outside 165.24.12.x/24
How to do it Please
Thank you for your help
01-27-2009 03:20 AM
Hi,
WSUS servers use the port 80 & https to sync with micrsoft server to obtain the update. If you open 80 & 443 in firewall these servers will be able to access internet through their browsers( which you do not want)
Visit this URL for more info
http://technet.microsoft.com/en-us/library/cc708605.aspx
Regards
Jithesh
01-27-2009 04:07 AM
I want to know these commands below would allow the server 192.168.1.100 to get Windows update . And what about McAfee?
THANKS
ASA5520(config)#ip access-list extended servUpd
permit TCP host 192.168.1.100 host http://windowsupdate.microsoft.com eq 80
permit TCP host 192.168.1.100 host http://*.windowsupdate.microsoft.com eq 80
permit TCP host 192.168.1.100 host https://*.windowsupdate.microsoft.com 443
permit TCP host 192.168.1.100 host http://*.update.microsoft.com eq 80
permit TCP host 192.168.1.100 host https://*.update.microsoft.com eq 443
permit TCP host 192.168.1.100 host http://*.windowsupdate.com eq 80
permit TCP host 192.168.1.100 host http://download.windowsupdate.com eq 80
permit TCP host 192.168.1.100 host http://download.microsoft.com eq 80
permit TCP host 192.168.1.100 host http://*.download.windowsupdate.com eq 80
permit TCP host 192.168.1.100 host http://wustat.windows.com eq 80
permit TCP host 192.168.1.100 host http://ntservicepack.microsoft.com eq 80
ASA5520(config)#access-group servUpd in interface inside
01-27-2009 08:02 PM
Hi
I am very sorry. This format is not applicable in PIX/ASA.
Thanks
Jithesh
01-27-2009 11:36 PM
Thanks for your answer
Please how can I do to permit 2 servers to make windows update only on those website ??
01-27-2009 11:43 PM
Thanks for your answer
Please how can I permit my 2 servers to access only those website for windows updates ?
01-27-2009 11:54 PM
Hi,
You can do it in two ways,
A) (1)Open port 80 & 443 for your WSUS server 192.168.1.2. (2) Set up a url-server (Websense/n2h2) with your ASA. (3) Direct the traffic from WSUS server to url-server for filtering. (4) In Url-server allow only to access those URLs.
B) (1) set up a proxy inside your network
(2) Open port 80 ,443 in ASA for the proxy
(3) Configure the proxy in such a way that WSUS server can only access those URLs
02-04-2009 01:22 AM
Thanks for your answer
Please, have a look on this link : is it possible ?
http://supportwiki.cisco.com/ViewWiki/index.php/ASA_URL_filtering
02-04-2009 02:16 AM
Hi
Thank you very much for your info:
could you please try with the following configuration as per the link provided above.
---------------------------------------
regex allowex1 ".*\.microsoft\.com"
regex allowex2 ".*\.windowsupdate\.com"
regex allowex3 ".*\.windows\.com"
regex allowex4 ".*\.mcafee\.com"
regex allowex5 "\.mcafee\.com"
class-map type inspect http match-all allow-url-class
match not request header host regex allowex1
match not request header host regex allowex2
match not request header host regex allowex3
match not request header host regex allowex4
match not request header host regex allowex5
policy-map type inspect http allow-url-policy
parameters
class allow-url-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http allow-url-policy
service-policy global_policy global
---------------------------------------
If it is not working we can try another way.Please update
regards
Jithesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: