Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5520:block all traffic except for Windows update for 2 server on The LAN

Hello

I have an asa 5520 to protect my network

LAN -----> asa5520 -----> internet

I want to allow only 2 servers on my LAN to access their Internet to update Windows and MacAfee

All other traffic from other PCs on the LAN to the outside must be blocked and all traffic leaving the 2 servers to outside(except for Windows and MacAfee update) must be blocked

Server1 192.168.1.2/24

Server2 192.168.1.3/24

Inside 192.168.1.1/24

Outside 165.24.12.x/24

How to do it Please

Thank you for your help

8 REPLIES
Community Member

Re: ASA5520:block all traffic except for Windows update for 2 se

Hi,

WSUS servers use the port 80 & https to sync with micrsoft server to obtain the update. If you open 80 & 443 in firewall these servers will be able to access internet through their browsers( which you do not want)

Visit this URL for more info

http://technet.microsoft.com/en-us/library/cc708605.aspx

Regards

Jithesh

Community Member

Re: ASA5520:block all traffic except for Windows update for 2 se

I want to know these commands below would allow the server 192.168.1.100 to get Windows update . And what about McAfee?

THANKS

ASA5520(config)#ip access-list extended servUpd

permit TCP host 192.168.1.100 host http://windowsupdate.microsoft.com eq 80

permit TCP host 192.168.1.100 host http://*.windowsupdate.microsoft.com eq 80

permit TCP host 192.168.1.100 host https://*.windowsupdate.microsoft.com 443

permit TCP host 192.168.1.100 host http://*.update.microsoft.com eq 80

permit TCP host 192.168.1.100 host https://*.update.microsoft.com eq 443

permit TCP host 192.168.1.100 host http://*.windowsupdate.com eq 80

permit TCP host 192.168.1.100 host http://download.windowsupdate.com eq 80

permit TCP host 192.168.1.100 host http://download.microsoft.com eq 80

permit TCP host 192.168.1.100 host http://*.download.windowsupdate.com eq 80

permit TCP host 192.168.1.100 host http://wustat.windows.com eq 80

permit TCP host 192.168.1.100 host http://ntservicepack.microsoft.com eq 80

ASA5520(config)#access-group servUpd in interface inside

Community Member

Re: ASA5520:block all traffic except for Windows update for 2 se

Hi

I am very sorry. This format is not applicable in PIX/ASA.

Thanks

Jithesh

Community Member

Re: ASA5520:block all traffic except for Windows update for 2 se

Thanks for your answer

Please how can I do to permit 2 servers to make windows update only on those website ??

Community Member

Re: ASA5520:block all traffic except for Windows update for 2 se

Thanks for your answer

Please how can I permit my 2 servers to access only those website for windows updates ?

Community Member

Re: ASA5520:block all traffic except for Windows update for 2 se

Hi,

You can do it in two ways,

A) (1)Open port 80 & 443 for your WSUS server 192.168.1.2. (2) Set up a url-server (Websense/n2h2) with your ASA. (3) Direct the traffic from WSUS server to url-server for filtering. (4) In Url-server allow only to access those URLs.

B) (1) set up a proxy inside your network

(2) Open port 80 ,443 in ASA for the proxy

(3) Configure the proxy in such a way that WSUS server can only access those URLs

Community Member

Re: ASA5520:block all traffic except for Windows update for 2 se

Thanks for your answer

Please, have a look on this link : is it possible ?

http://supportwiki.cisco.com/ViewWiki/index.php/ASA_URL_filtering

Community Member

Re: ASA5520:block all traffic except for Windows update for 2 se

Hi

Thank you very much for your info:

could you please try with the following configuration as per the link provided above.

---------------------------------------

regex allowex1 ".*\.microsoft\.com"

regex allowex2 ".*\.windowsupdate\.com"

regex allowex3 ".*\.windows\.com"

regex allowex4 ".*\.mcafee\.com"

regex allowex5 "\.mcafee\.com"

class-map type inspect http match-all allow-url-class

match not request header host regex allowex1

match not request header host regex allowex2

match not request header host regex allowex3

match not request header host regex allowex4

match not request header host regex allowex5

policy-map type inspect http allow-url-policy

parameters

class allow-url-class

drop-connection log

policy-map global_policy

class inspection_default

inspect http allow-url-policy

service-policy global_policy global

---------------------------------------

If it is not working we can try another way.Please update

regards

Jithesh

4417
Views
0
Helpful
8
Replies
CreatePlease to create content