Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
4
Replies

Need Help to create access-list based on traffic logs

sindbandgi
Level 1
Level 1

‎07-17-2014 05:09 AM - edited ‎03-11-2019 09:29 PM

Hello,

We didn't have any Firewall in our network, we recently implemented  Cisco ASA (Context) firewall in our network with any  any permit rule .

 

Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .

 

I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated

Rajkumar

Labels:
0 Helpful
4 Replies 4

nkarthikeyan
Level 7
Level 7

‎07-17-2014 10:55 AM

Hi Sind,

It is not a fair idea to create filters based on the logs in firewall. If so then you will be allowing unwanted traffic as well. So you need to identify the service by service from the business requirement. add the specific rule on top of permit ip any any and add the required rule on top of that... then monitor the hits for each access you have identified and provided.... then at last stage you can remove the permit ip any any from FW ACL.

 

Regards

Karthik

0 Helpful

sindbandgi
Level 1
Level 1
In response to nkarthikeyan

‎08-01-2014 10:33 PM

 

 

Thank you, I agree it is not fare idea however doyou have any specific steps to follow the identify the services as business users were not in position to provide any inforamation about the Services.

 

I need to find this out from the Firewall traffi rules only.

 

Any suggestions appreciated.

 

Regards

Rajkumar

 

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to sindbandgi

‎08-01-2014 10:44 PM

Hi Rajkumar,

 

That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.

 

How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....

 

If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....

 

Regards

Karthik

 

Regards

Karthik

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to nkarthikeyan

‎08-01-2014 10:51 PM

I agree with Karthik. Creating rules based on logs and existing connections is not ideal. However, if you want to monitor what is passing through, you can log your ACL entries and use "Show conn" command to see what is already established. 
Thank you for rating helpful posts! 
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card