AAA for Outbound TCP/UDP Traffic

rmanapat · ‎10-14-2010

Hi, I am trying to configure my ASA to require authentication for all outbound traffics except to some selected networks. I have come up with a configuration (below) and for some reason everytime I apply it, everybody is requiring to authenticate even the exclussions that I've created.

Can someone in this group shed some light as to what I'm missing from my configuration? Any help would be very much appreciated.

Thanks,

Russell

!-- Start Config

object-group network FirstData
description First Data Network Address
network-object host 204.xxx.xxx.xxx
network-object host 66.xxx.xxx.xxx
network-object host 206.xxx.xxx.xxx
network-object host 64.xxx.xxx.xxx
network-object host 129.xxx.xxx.xxx
network-object host 216.xxx.xxx.xxx

object-group service FirstDataPorts tcp
description FirstData TCP Ports
port-object eq 80
port-object eq 443

object-group network RBS
description RBS Network Address
network-object host 72.xxx.xxx.xxx
network-object host 199.xxx.xxx.xxx
network-object host 199.xxx.xxx.xxx
network-object host 208.xxx.xxx.xxx
network-object host 199.xxx.xxx.xxx
network-object host 111.xxx.xxx.xxx

object-group service RBSPorts tcp
description RBS TCP Ports
port-object eq 80
port-object eq 443

object-group network FTPAddress
description Vendor FTP Address
network-object host 170.xxx.xxx.xxx
network-object host 198.xxx.xxx.xxx
network-object host 69.xxx.xxx.xxx
network-object host 63.xxx.xxx.xxx
network-object host 66.xxx.xxx.xxx
network-object host 4.xxx.xxx.xxx
network-object host 192.xxx.xxx.xxx
network-object host 65.xxx.xxx.xxx
network-object host 66.xxx.xxx.xxx
network-object host 12.xxx.xxx.xxx
network-object host 69.xxx.xxx.xxx

object-group service FTPPorts tcp
description FTP TCP Ports
port-object eq 21

object-group network TM
description TM Update Network Address
network-object 8.xxx.xxx.xxx 255.255.0.0
network-object 96.xxx.xxx.xxx 255.255.0.0
network-object 96.xxx.xxx.xxx 255.255.0.0
network-object 96.xxx.xxx.xxx 255.255.0.0
network-object 72.xxx.xxx.xxx 255.255.0.0
network-object 72.xxx.xxx.xxx 255.255.0.0
network-object 66.xxx.xxx.xxx 255.255.255.0
network-object 216.xxx.xxx.xxx 255.255.255.0
network-object 150.xxx.xxx.xxx 255.255.255.255
network-object 216.xxx.xxx.xxx 255.255.240.0
network-object 69.xxx.xxx.xxx 255.255.0.0
network-object 173.xxx.xxx.xxx 255.255.0.0
network-object 96.xxx.xxx.xxx 255.254.0.0

object-group service TMPorts tcp
description TM TCP Ports
port-object eq 80
port-object eq 443

object-group network WindowsUpdate
description Windows Update Network Address
network-object 65.54.225.0 255.255.255.0
network-object 208.172.0.0 255.255.0.0
network-object 207.68.179.0 255.255.255.0
network-object 207.46.0.0 255.255.0.0
network-object 204.160.126.0 255.255.255.0
network-object 67.72.0.0 255.255.0.0
network-object 65.59.0.0 255.255.0.0
network-object 65.55.0.0 255.255.0.0
network-object 64.158.0.0 255.255.0.0
network-object 64.4.0.0 255.255.0.0
network-object 8.12.135.0 255.255.255.0
network-object 65.52.0.0 255.255.0.0
network-object 65.54.0.0 255.255.0.0

object-group service WindowsUpdatePorts tcp
description Windows Update TCP Ports
port-object eq 80
port-object eq 443

object-group network LogMeIn
description LogMeIn Network Address
network-object 74.201.74.0 255.255.255.0
network-object 74.201.75.0 255.255.255.0
network-object 216.52.233.0 255.255.255.0
network-object 69.25.20.0 255.255.255.0
network-object 69.25.21.0 255.255.255.0
network-object 64.94.18.0 255.255.255.0
network-object 77.242.192.0 255.255.255.0
network-object 77.242.193.0 255.255.255.0

object-group service LMIPorts tcp
description LogMeIn TCP Ports
port-object eq 80
port-object eq 443
port-object eq 12975
port-object eq 32976

object-group network Miscellaneous
description Miscellaneous Network Address
network-object 66.xxx.xxx.xxx 255.255.255.255
network-object 97.xxx.xxx.xxx 255.255.255.255
network-object 208.xxx.xxx.xxx 255.255.255.255
network-object 66.xxx.xxx.xxx 255.255.255.255
network-object 111.xxx.xxx.xxx 255.255.255.255
network-object 140.xxx.xxx.xxx 255.255.255.255
network-object 158.xxx.xxx.xxx 255.255.0.0
network-object 199.xxx.xxx.xxx 255.255.240.0
network-object 64.xxx.xxx.xxx 255.255.248.0
network-object 64.xxx.xxx.xxx 255.255.248.0
network-object 216.xxx.xxx.xxx 255.255.0.0
network-object 69.xxx.xxx.xxx 255.255.255.255

object-group service MiscPorts tcp
description Miscellaneous Site TCP Ports
port-object eq 80
port-object eq 443

object-group network Lanes
description Lanes
network-object 172.17.1.0 255.255.255.240

object-group network CPAddress
description CP Network Address
network-object host 4.xxx.xxx.xxx
network-object host 4.xxx.xxx.xxx
network-object host 4.xxx.xxx.xxx
network-object host 4.xxx.xxx.xxx
network-object host 4.xxx.xxx.xxx
network-object host 4.xxx.xxx.xxx
network-object host 4.xxx.xxx.xxx
network-object host 208.xxx.xxx.xxx
network-object host 208.xxx.xxx.xxx
network-object host 208.xxx.xxx.xxx
network-object host 91.xxx.xxx.xxx
network-object host 208.xxx.xxx.xxx
network-object host 208.xxx.xxx.xxx
network-object host 91.xxx.xxx.xxx
network-object 208.xxx.xxx.xxx 255.255.255.224

object-group network DNS
description DNS Servers Address
network-object host 4.2.2.1
network-object host 4.2.2.2
network-object host 4.2.2.3
network-object host 8.8.4.4
network-object host 8.8.8.8

object-group service CPPorts tcp
description CP TCP Ports
port-object eq www
port-object eq https
port-object eq 6260

object-group service DNSPorts tcp-udp
description DNS Servers TCP-UPD Ports
port-object eq domain

object-group network InternalPOS
description Internal POS Network Scheme
network-object 172.17.1.0 255.255.255.0

access-list AAA_Policy extended permit tcp object-group InternalPOS object-group CPAddress object-group CPPorts
access-list AAA_Policy extended permit tcp object-group InternalPOS object-group FirstData object-group FirstDataPorts
access-list AAA_Policy extended permit tcp object-group InternalPOS object-group RBS object-group RBSPorts
access-list AAA_Policy extended permit tcp object-group InternalPOS object-group FTPAddress object-group FTPPorts
access-list AAA_Policy extended permit tcp object-group InternalPOS object-group TM object-group TMPorts
access-list AAA_Policy extended permit tcp object-group InternalPOS object-group WindowsUpdate object-group WindowsUpdatePorts
access-list AAA_Policy extended permit tcp object-group InternalPOS object-group LogMeIn object-group LMIPorts
access-list AAA_Policy extended permit tcp object-group InternalPOS object-group DNS object-group DNSPorts
access-list AAA_Policy extended permit udp object-group InternalPOS object-group DNS object-group DNSPorts
access-list AAA_Policy extended permit tcp object-group InternalPOS object-group Miscellaneous object-group MiscPorts
access-list AAA_Policy extended deny tcp object-group InternalPOS any

aaa authentication match AAA_Policy inside Authinbound

!-- End Config

Panos Kampanakis · ‎10-14-2010

Please put the line "access-list AAA_Policy extended deny tcp object-group InternalPOS any" on line 1. If the excluded traffic matches the deny, these hosts should not be authenticated.

Also note the "aaa authentication exclude" option.

I hope helps.

PK

rmanapat · ‎10-14-2010

Thanks for your reply. Can you have aaa authentication match and aaa authentication exclude on the same configuration? What I was trying to do is use the access-list for the exclusion instead of assigning gazillion of lines of excludes. Thanks for your input again.

Russell

Panos Kampanakis · ‎10-14-2010

What you are trying to do is right. Please make sure the deny is on top and see if it helps.

PK