06-07-2010 09:15 AM - edited 03-11-2019 10:55 AM
Hi,
I am currently using an ASA 5505 with Security Plus License (P/N: ASA5505-SEC-BUN-K9) Appliance. What I am trying to do is create a multiple network and be completely separated from each other and on the inside interface (or network), I want to limit the outbound traffic. I have at least 14 inside clients where they would be completely restricted to access the internet except for a specific IP Address and specific port. All the rest of the IP Addresses on that subnet would only have access to the internet if they have specified a username and password.
Please see the below configuration and please give me your feedback as to what other things I can improve.
!-- 14 Clients
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.1 eq www
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.1 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.2 eq www
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.2 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.3 eq www
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.3 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq www
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.5 eq www
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.5 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.6 eq www
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.6 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.7 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.8 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.9 eq www
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.9 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.10 eq https
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq 6260
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.1 eq domain
access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.1 eq domain
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.2 eq domain
access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.2 eq domain
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.3 eq domain
access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.3 eq domain
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 8.8.4.4 eq domain
access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 8.8.4.4 eq domain
access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 8.8.8.8 eq domain
access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 8.8.8.8 eq domain
access-list Firewall_Policy extended deny ip 10.12.1.0 255.255.255.240 any
access-list Firewall_Policy extended permit ip any any
access-group Firewall_Policy in interface inside
!-- AAA Configuration
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.12.1.245 sharedsecret timeout 5
aaa authentication include any inside 10.12.1.0 255.255.255.0 0 0 AuthInbound
aaa-server svrgrp1 protocol radius
max-failed-attempts 3
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.7 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.8 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.9 255.255.255.255 AuthInbound
aaa authentication exclude tcp/6260 inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound
I hope that someone can recommend if there are other better alternative to this type of configuration? Also, care there anything I have to add in order to maintain a more secure and efficient environment? Please school me.
Thank you,
Russell
06-07-2010 11:31 AM
Russell,
Firstly - there is a nice function called "Objects" see the below:-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml
I would suggest that you create a group for src/dst IP addresses, and TCP/UDP ports - this will reduce your acl.
Once you are happy with that - we will address future proofing the config/requirements!
HTH>
06-17-2010 10:17 AM
Sorry for the delay. I have modified my access-list to use object-group. Please see the modified configuration and anybody who can recommend maybe a more efficient and secure environment than my current configuration, I'll appreciate it. By the way, just so you know, I don't have any DMZ or any port being allowed from the outside interface to inside. Here's the configuration I currently have:
object-group network Lanes
network-object 10.12.1.0 255.255.255.240
object-group network CPAddress
network-object host 208.xxx.152.1
network-object host 208.xxx.152.2
network-object host 208.xxx.152.3
network-object host 208.xxx.152.4
network-object host 208.xxx.152.5
network-object host 208.xxx.152.6
network-object host 208.xxx.152.7
network-object host 208.xxx.152.8
network-object host 208.xxx.152.9
network-object host 208.xxx.152.10
network-object 203.xxx.152.1 255.255.255.224
object-group network DNS
description: DNS Servers Address
network-object host 4.2.2.1
network-object host 4.2.2.2
network-object host 4.2.2.3
network-object host 8.8.4.4
network-object host 8.8.8.8
object-group service CPPorts tcp
port-object eq www
port-object eq https
port-object eq 6260
object-group service DNSPorts tcp-udp
description: DNS Servers TCP-UPD Ports
port-object eq domain
access-list Firewall_Policy extended permit tcp object-group Lanes object-group CPAddress object-group CPPorts
access-list Firewall_Policy extended permit tcp object-group Lanes object-group DNS object-group DNSPorts
access-list Firewall_Policy extended permit udp object-group Lanes object-group DNS object-group DNSPorts
access-list Firewall_Policy extended deny ip object-group Lanes any
access-list Firewall_Policy extended permit ip any any
access-group Firewall_Policy in interface inside
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.12.1.245 sharedsecret timeout 5
aaa authentication include any inside 10.12.1.0 255.255.255.0 0 0 AuthInbound
aaa-server svrgrp1 protocol radius
max-failed-attempts 3
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.7 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.8 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.9 255.255.255.255 AuthInbound
aaa authentication exclude tcp/6260 inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
aaa authentication exclude http inside 10.12.1.0 255.255.255.0 203.xxx.152.1 255.255.255.224 AuthInbound
aaa authentication exclude https inside 10.12.1.0 255.255.255.0 203.xxx.152.1 255.255.255.224 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound
Thank you again in advance and please school me.
Russell
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide