Limiting Outbound Access

rmanapat · ‎06-07-2010

Hi,

I am currently using an ASA 5505 with Security Plus License (P/N: ASA5505-SEC-BUN-K9) Appliance. What I am trying to do is create a multiple network and be completely separated from each other and on the inside interface (or network), I want to limit the outbound traffic. I have at least 14 inside clients where they would be completely restricted to access the internet except for a specific IP Address and specific port. All the rest of the IP Addresses on that subnet would only have access to the internet if they have specified a username and password.

Please see the below configuration and please give me your feedback as to what other things I can improve.

          !-- 14 Clients
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.1 eq www
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.1 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.2 eq www
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.2 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.3 eq www
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.3 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq www
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.5 eq www
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.5 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.6 eq www
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.6 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.7 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.8 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.9 eq www
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.9 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.10 eq https
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq 6260
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.1 eq domain
          access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.1 eq domain
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.2 eq domain
          access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.2 eq domain
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.3 eq domain
          access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.3 eq domain
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 8.8.4.4 eq domain
          access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 8.8.4.4 eq domain
          access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 8.8.8.8 eq domain
          access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 8.8.8.8 eq domain
          access-list Firewall_Policy extended deny ip 10.12.1.0 255.255.255.240 any
          access-list Firewall_Policy extended permit ip any any
          access-group Firewall_Policy in interface inside

          !-- AAA Configuration
          aaa-server AuthInbound protocol radius
          aaa-server AuthInbound (inside) host 10.12.1.245 sharedsecret timeout 5

aaa authentication include any inside 10.12.1.0 255.255.255.0 0 0 AuthInbound

aaa-server svrgrp1 protocol radius
max-failed-attempts 3

          aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound
          aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound
          aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound
          aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
          aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.7 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.8 255.255.255.255 AuthInbound
          aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound
          aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.9 255.255.255.255 AuthInbound
          aaa authentication exclude tcp/6260 inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound

          aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
          aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
          aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
          aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
          aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound

I hope that someone can recommend if there are other better alternative to this type of configuration? Also, care there anything I have to add in order to maintain a more secure and efficient environment? Please school me.

Thank you,

Russell

andrew.prince · ‎06-07-2010

Russell,

Firstly - there is a nice function called "Objects" see the below:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

I would suggest that you create a group for src/dst IP addresses, and TCP/UDP ports - this will reduce your acl.

Once you are happy with that - we will address future proofing the config/requirements!

HTH>

rmanapat · ‎06-17-2010

Sorry for the delay. I have modified my access-list to use object-group. Please see the modified configuration and anybody who can recommend maybe a more efficient and secure environment than my current configuration, I'll appreciate it. By the way, just so you know, I don't have any DMZ or any port being allowed from the outside interface to inside. Here's the configuration I currently have:

     object-group network Lanes
      network-object 10.12.1.0 255.255.255.240
     object-group network CPAddress
      network-object host 208.xxx.152.1
      network-object host 208.xxx.152.2
      network-object host 208.xxx.152.3
      network-object host 208.xxx.152.4
      network-object host 208.xxx.152.5
      network-object host 208.xxx.152.6
      network-object host 208.xxx.152.7
      network-object host 208.xxx.152.8
      network-object host 208.xxx.152.9
      network-object host 208.xxx.152.10
      network-object 203.xxx.152.1 255.255.255.224
     object-group network DNS
      description: DNS Servers Address
      network-object host 4.2.2.1
      network-object host 4.2.2.2
      network-object host 4.2.2.3
      network-object host 8.8.4.4
      network-object host 8.8.8.8
     object-group service CPPorts tcp
      port-object eq www
      port-object eq https
      port-object eq 6260
     object-group service DNSPorts tcp-udp
      description: DNS Servers TCP-UPD Ports
      port-object eq domain

     access-list Firewall_Policy extended permit tcp object-group Lanes object-group CPAddress object-group CPPorts
     access-list Firewall_Policy extended permit tcp object-group Lanes object-group DNS object-group DNSPorts
     access-list Firewall_Policy extended permit udp object-group Lanes object-group DNS object-group DNSPorts
     access-list Firewall_Policy extended deny ip object-group Lanes any
     access-list Firewall_Policy extended permit ip any any
     access-group Firewall_Policy in interface inside

aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 10.12.1.245 sharedsecret timeout 5

aaa authentication include any inside 10.12.1.0 255.255.255.0 0 0 AuthInbound

aaa-server svrgrp1 protocol radius
max-failed-attempts 3

     aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound
     aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound
     aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound
     aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
     aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.7 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.8 255.255.255.255 AuthInbound
     aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.9 255.255.255.255 AuthInbound
     aaa authentication exclude tcp/6260 inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound
     aaa authentication exclude http inside 10.12.1.0 255.255.255.0 203.xxx.152.1 255.255.255.224 AuthInbound
     aaa authentication exclude https inside 10.12.1.0 255.255.255.0 203.xxx.152.1 255.255.255.224 AuthInbound

     aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
     aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
     aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
     aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
     aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound

Thank you again in advance and please school me.

Russell