We have our ASA 5540 in our hosting site and it has just been made the default gateway from our network out to the internet.
Inside hosts translate to the Outside cards Public IP address as you would expect when you route out.
Yet my problem is all inside hosts can route out to the Internet and have full rights to all services such as HTTP, HTTPS and FTP etc etc.
I can't see any rules allowing this and there is only rules for the Proxy Server and certain servers etc.
Our NAT rule covering this is:
object network obj-10.0.0.0
nat (Private,DMZ) static 10.0.0.0
object network obj_any
nat (Private,Public) dynamic interface
object network obj_any-01
nat (DMZ,Public) dynamic interface
I have tried to create deny rules, but hosts can still route out fully. Can someone point me in the right direction on what I can do to block these hosts fully unless they are specifally granted access?
Thanks in advance,
Hi Mark. You have no access-list on the Private interface in the inbound direction. All the traffic from Private towards Public is allowed, as expected.
You should change this:
access-group Private_access_out out interface Private
access-group Private_access_out in interface Private