Need Help to create access-list based on traffic logs
We didn't have any Firewall in our network, we recently implemented Cisco ASA (Context) firewall in our network with any any permit rule .
Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .
I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated
It is not a fair idea to create filters based on the logs in firewall. If so then you will be allowing unwanted traffic as well. So you need to identify the service by service from the business requirement. add the specific rule on top of permit ip any any and add the required rule on top of that... then monitor the hits for each access you have identified and provided.... then at last stage you can remove the permit ip any any from FW ACL.
That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.
How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....
If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....
I agree with Karthik. Creating rules based on logs and existing connections is not ideal. However, if you want to monitor what is passing through, you can log your ACL entries and use "Show conn" command to see what is already established. Thank you for rating helpful posts!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...