We have an ASA5520 which connects our offices to a larger corporate WAN which we deem as hostile. We've always allowed traffic to flow off our network and onto the corporate network without any controls, however, following a recent virus outbreak (which flooded the corporate network with ICMP!) we've been told by our corporate IT Team that we must now restrict outbound traffic.
This is fair enough and to be honest it's something we should have done a long time ago. Because we control inbound traffic via ACL's we know what traffic is allowed in, however, as we've never controlled outbound traffic before I'd like to get an idea of what traffic is heading onto the corporate WAN before I remove the outbound "permit any any" and replace with more specific ACLS's.
My initial plan was to place a probe on the outside of the firewall for around a month to monitor outbound traffic so we can use this info to come out with an appropriate set of rules. I guess this will also highlight any illeigitmate traffic which we can block.
I then wondered if the ASA has any ASDM tools or CLI options that could help with this?
I'd be interested to hear from anyone who's done something similar or knows of any tools (particulary free/shareware) that could help.
There are two features you can use on ASA 8.2.X code.
1. Threat detection
And also by enabling access-list logging you will get some idea about traffic flow, in my opinion you can create deny rules on top access-list permit any any rule.Start with blocking ports like UDP 137,138,139,TCP 445, 139 etc with will definitely help to reduce the worms spreading and also restrict ICMP message types.
Starting with 8.X code , the threat detection is good feature to analyse network traffic.
Netflow feature is available with 8.2.1 code, you can use free netflow analyser from sloarwinds or cisco( evaluation versions) to analyse traffic.
Though threat detection statistics may help you get a hang of n/w resource usage on ASA, but really it is a very basic tool for monitoring purposes. Moreover, it will consume 15-20% CPU on the box. According to my experience with Cisco, when most of the ASAs are running at high CPU, then it is always good to turn OFF the threat-detection stats, as it is not much of use.
In my opinion, Netflow Secure Event Logging ( NSEL in 8.2 +) is a better option for your scenario.Please refer the link below :
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...