Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need Help to create access-list based on traffic logs

Hello,

We didn't have any Firewall in our network, we recently implemented  Cisco ASA (Context) firewall in our network with any  any permit rule .

 

Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .

 

I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated

Rajkumar

  • Firewalling
4 REPLIES

Hi Sind,It is not a fair idea

Hi Sind,

It is not a fair idea to create filters based on the logs in firewall. If so then you will be allowing unwanted traffic as well. So you need to identify the service by service from the business requirement. add the specific rule on top of permit ip any any and add the required rule on top of that... then monitor the hits for each access you have identified and provided.... then at last stage you can remove the permit ip any any from FW ACL.

 

Regards

Karthik

New Member

  Thank you, I agree it is

 

 

Thank you, I agree it is not fare idea however doyou have any specific steps to follow the identify the services as business users were not in position to provide any inforamation about the Services.

 

I need to find this out from the Firewall traffi rules only.

 

Any suggestions appreciated.

 

Regards

Rajkumar

 

Hi Rajkumar, That is not the

Hi Rajkumar,

 

That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.

 

How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....

 

If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....

 

Regards

Karthik

 

Regards

Karthik

Cisco Employee

I agree with Karthik.

I agree with Karthik. Creating rules based on logs and existing connections is not ideal. However, if you want to monitor what is passing through, you can log your ACL entries and use "Show conn" command to see what is already established. 
Thank you for rating helpful posts! 
38
Views
0
Helpful
4
Replies
This widget could not be displayed.