cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7041
Views
0
Helpful
8
Replies

ASA5520:block all traffic except for Windows update for 2 server on The LAN

nicanor00
Level 1
Level 1

Hello

I have an asa 5520 to protect my network

LAN -----> asa5520 -----> internet

I want to allow only 2 servers on my LAN to access their Internet to update Windows and MacAfee

All other traffic from other PCs on the LAN to the outside must be blocked and all traffic leaving the 2 servers to outside(except for Windows and MacAfee update) must be blocked

Server1 192.168.1.2/24

Server2 192.168.1.3/24

Inside 192.168.1.1/24

Outside 165.24.12.x/24

How to do it Please

Thank you for your help

8 Replies 8

Jithesh K Joy
Level 1
Level 1

Hi,

WSUS servers use the port 80 & https to sync with micrsoft server to obtain the update. If you open 80 & 443 in firewall these servers will be able to access internet through their browsers( which you do not want)

Visit this URL for more info

http://technet.microsoft.com/en-us/library/cc708605.aspx

Regards

Jithesh

I want to know these commands below would allow the server 192.168.1.100 to get Windows update . And what about McAfee?

THANKS

ASA5520(config)#ip access-list extended servUpd

permit TCP host 192.168.1.100 host http://windowsupdate.microsoft.com eq 80

permit TCP host 192.168.1.100 host http://*.windowsupdate.microsoft.com eq 80

permit TCP host 192.168.1.100 host https://*.windowsupdate.microsoft.com 443

permit TCP host 192.168.1.100 host http://*.update.microsoft.com eq 80

permit TCP host 192.168.1.100 host https://*.update.microsoft.com eq 443

permit TCP host 192.168.1.100 host http://*.windowsupdate.com eq 80

permit TCP host 192.168.1.100 host http://download.windowsupdate.com eq 80

permit TCP host 192.168.1.100 host http://download.microsoft.com eq 80

permit TCP host 192.168.1.100 host http://*.download.windowsupdate.com eq 80

permit TCP host 192.168.1.100 host http://wustat.windows.com eq 80

permit TCP host 192.168.1.100 host http://ntservicepack.microsoft.com eq 80

ASA5520(config)#access-group servUpd in interface inside

Hi

I am very sorry. This format is not applicable in PIX/ASA.

Thanks

Jithesh

Thanks for your answer

Please how can I do to permit 2 servers to make windows update only on those website ??

Thanks for your answer

Please how can I permit my 2 servers to access only those website for windows updates ?

Hi,

You can do it in two ways,

A) (1)Open port 80 & 443 for your WSUS server 192.168.1.2. (2) Set up a url-server (Websense/n2h2) with your ASA. (3) Direct the traffic from WSUS server to url-server for filtering. (4) In Url-server allow only to access those URLs.

B) (1) set up a proxy inside your network

(2) Open port 80 ,443 in ASA for the proxy

(3) Configure the proxy in such a way that WSUS server can only access those URLs

Thanks for your answer

Please, have a look on this link : is it possible ?

http://supportwiki.cisco.com/ViewWiki/index.php/ASA_URL_filtering

Hi

Thank you very much for your info:

could you please try with the following configuration as per the link provided above.

---------------------------------------

regex allowex1 ".*\.microsoft\.com"

regex allowex2 ".*\.windowsupdate\.com"

regex allowex3 ".*\.windows\.com"

regex allowex4 ".*\.mcafee\.com"

regex allowex5 "\.mcafee\.com"

class-map type inspect http match-all allow-url-class

match not request header host regex allowex1

match not request header host regex allowex2

match not request header host regex allowex3

match not request header host regex allowex4

match not request header host regex allowex5

policy-map type inspect http allow-url-policy

parameters

class allow-url-class

drop-connection log

policy-map global_policy

class inspection_default

inspect http allow-url-policy

service-policy global_policy global

---------------------------------------

If it is not working we can try another way.Please update

regards

Jithesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: