09-27-2008 09:46 PM - edited 03-11-2019 06:50 AM
Hi, We have mutiple ASA 5505 which are installed on mutiple sites and all are connected via STS Tunnel. To enhancement the security, I have few below queries and need to have your reviews:-
1) In current scenario all default zone (Inside and DMZ) are in a same V-lan and we have allowed IP protocol among STS Tunnels which means we can access any remote IP from any machine.
Now I am going to make a different V-lan for our Depart (NOC) and want only from this V-lan all machine to be accessible and from Inside Zone only 80 and 443 port to be allowed for remote networks. Network scenario will be like that :
1) V-lan 100 (NOC) -- Access Everything
2) Inside V-lan --- Aceess 443,80 port for remote sites which are connected via STS.
3) NOC have full access of Internet but Inside Zone users have access of only ICQ and Skype and all other web traffic to be blocked (Note : The Remote machines (Tunnel Sites) shd be opened of port 80,443 from Inside Zone). Kindly suggest one more thing if i need to allow any inside machine to allow internet then what kinf of settings is required for this. (I wud allow the internet via IP and Authendication)
Thanks!! Please Advice
Please Advice.
Solved! Go to Solution.
09-30-2008 05:12 AM
ray the thing is
with ACL u r working on L3/L4 while with MPF u work on L7 and with application layer u can have more flixibilty
for example in ACL u can permit or deny http traffic while with mpf u can only deny any undesired content in the http header
i would say try both ways and see which one will help u more
maybe u need both each one to do part of the job at least u have the idea now
good luck
if helpful Rate
09-28-2008 05:34 AM
from my understanding to ur requirements
u need first to disable any routing between any vlan if u have this before the traffic reach the firewall
like if u have a router or L3 switch dose the intervaln routing between vlans u need to disable this i mean between the noc and inside
put each vlan of thos in diffrent interface or subinterface in ASA
now in ur VPN setup u need to re design the interresting traffic ACL which is the ACL that you refer to in ur crypto map in STS
make permit of rource of noc vlan to remote site network any ip traffic
and make permit for traffic srourced fron inside to remote site that is port 80/443
now this traffic only will breing up the vpn tunnel
for more security u can make ACLs on the outside interfce as well
for internet users to be authenticated in thier outbound internet access u can use CUT-through proxy have a look at the following link:
good luck
if helpful Rate
09-28-2008 05:48 AM
Hi, thanks for your reply.
First I would know which of the software is using while configuring the user settings for allowing or denying the internate usage in the above link and do I need to have any license to use that software.
Well I would like to know another thing, I want to give access of Skype and ICQ messanger to all entire users except internet browsing. And is it possible that I could permit few IP to access the internet by making any access-list or MPF. Please Advice as rest of the settings I can do. Thanks
09-29-2008 12:15 AM
Please advice!!
09-29-2008 12:51 AM
ok
in the above link the authentication were thorugh external database on cisco ACS whihc should be bought from cisco but if u have small number of usernames u can use local dtata base on the ASA instead of puting the AAA group use the local command
and creat manule username and password
like
username [usrname] password [password]
and this why u can use the cut-through authentication against local usernames
even in this case u cam make the internat access based on user names instead of IP with ACL
u can permit internet access for spisific users based in thier IPs by useing ACL on the inside interface in the inbound direction awwlon http,https for those IPs and deny others
for messenger it is quite complicated if u wanna only deny the messenge use it is easy by using MPF
what i suggest u is have a look at the following link it is to block messenger but try to revers it
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml
good luck
if helpful Rate
09-29-2008 01:02 AM
Agreed, but we have high number of users so wht do you suggest shd i go with Proxy.. if yes can you recommanded any free proxy server if you know.
Second, I want to allow ICQ and SKYPE messanger for all users. My meant that by default all users ICQ and SKYPE traffic must be allowed by the FW without any blocking and rest of the things must be blocked like www, https or etc and for givivg the access of rest of the things I want to allow only few users by doing few settings on FW as u adviced or can go with Proxy. Please advice!!
09-29-2008 05:37 AM
Please advice??
09-29-2008 10:13 PM
try the following
access-list 100 permit tcp/udp source any eq [tcp/udp messenger port number]
access-lsit 100 permit tcp source [IPs for who u want them to use internet] any eq http/https
if helpful Rate
09-29-2008 11:21 PM
Thanks!!! Is it possible through MFP. Please suggest...which one option is better to implement.
09-30-2008 05:12 AM
ray the thing is
with ACL u r working on L3/L4 while with MPF u work on L7 and with application layer u can have more flixibilty
for example in ACL u can permit or deny http traffic while with mpf u can only deny any undesired content in the http header
i would say try both ways and see which one will help u more
maybe u need both each one to do part of the job at least u have the idea now
good luck
if helpful Rate
09-30-2008 06:36 AM
Thanks!!! got it
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: