Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
0
Helpful
10
Replies

Solution (ASA 5505)

Go to solution
ray_stone
Level 1
Level 1

‎09-27-2008 09:46 PM - edited ‎03-11-2019 06:50 AM

Hi, We have mutiple ASA 5505 which are installed on mutiple sites and all are connected via STS Tunnel. To enhancement the security, I have few below queries and need to have your reviews:-

1) In current scenario all default zone (Inside and DMZ) are in a same V-lan and we have allowed IP protocol among STS Tunnels which means we can access any remote IP from any machine.

Now I am going to make a different V-lan for our Depart (NOC) and want only from this V-lan all machine to be accessible and from Inside Zone only 80 and 443 port to be allowed for remote networks. Network scenario will be like that :

1) V-lan 100 (NOC) -- Access Everything

2) Inside V-lan --- Aceess 443,80 port for remote sites which are connected via STS.

3) NOC have full access of Internet but Inside Zone users have access of only ICQ and Skype and all other web traffic to be blocked (Note : The Remote machines (Tunnel Sites) shd be opened of port 80,443 from Inside Zone). Kindly suggest one more thing if i need to allow any inside machine to allow internet then what kinf of settings is required for this. (I wud allow the internet via IP and Authendication)

Thanks!! Please Advice

Please Advice.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to ray_stone

‎09-30-2008 05:12 AM

ray the thing is

with ACL u r working on L3/L4 while with MPF u work on L7 and with application layer u can have more flixibilty

for example in ACL u can permit or deny http traffic while with mpf u can only deny any undesired content in the http header

i would say try both ways and see which one will help u more

maybe u need both each one to do part of the job at least u have the idea now

good luck

if helpful Rate

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-28-2008 05:34 AM

from my understanding to ur requirements

u need first to disable any routing between any vlan if u have this before the traffic reach the firewall

like if u have a router or L3 switch dose the intervaln routing between vlans u need to disable this i mean between the noc and inside

put each vlan of thos in diffrent interface or subinterface in ASA

now in ur VPN setup u need to re design the interresting traffic ACL which is the ACL that you refer to in ur crypto map in STS

make permit of rource of noc vlan to remote site network any ip traffic

and make permit for traffic srourced fron inside to remote site that is port 80/443

now this traffic only will breing up the vpn tunnel

for more security u can make ACLs on the outside interfce as well

for internet users to be authenticated in thier outbound internet access u can use CUT-through proxy have a look at the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

good luck

if helpful Rate

0 Helpful

Go to solution
ray_stone
Level 1
Level 1
In response to Marwan ALshawi

‎09-28-2008 05:48 AM

Hi, thanks for your reply.

First I would know which of the software is using while configuring the user settings for allowing or denying the internate usage in the above link and do I need to have any license to use that software.

Well I would like to know another thing, I want to give access of Skype and ICQ messanger to all entire users except internet browsing. And is it possible that I could permit few IP to access the internet by making any access-list or MPF. Please Advice as rest of the settings I can do. Thanks

0 Helpful

Go to solution
ray_stone
Level 1
Level 1
In response to ray_stone

‎09-29-2008 12:15 AM

Please advice!!

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to ray_stone

‎09-29-2008 12:51 AM

ok

in the above link the authentication were thorugh external database on cisco ACS whihc should be bought from cisco but if u have small number of usernames u can use local dtata base on the ASA instead of puting the AAA group use the local command

and creat manule username and password

like

username [usrname] password [password]

and this why u can use the cut-through authentication against local usernames

even in this case u cam make the internat access based on user names instead of IP with ACL

u can permit internet access for spisific users based in thier IPs by useing ACL on the inside interface in the inbound direction awwlon http,https for those IPs and deny others

for messenger it is quite complicated if u wanna only deny the messenge use it is easy by using MPF

what i suggest u is have a look at the following link it is to block messenger but try to revers it

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

good luck

if helpful Rate

0 Helpful

Go to solution
ray_stone
Level 1
Level 1
In response to Marwan ALshawi

‎09-29-2008 01:02 AM

Agreed, but we have high number of users so wht do you suggest shd i go with Proxy.. if yes can you recommanded any free proxy server if you know.

Second, I want to allow ICQ and SKYPE messanger for all users. My meant that by default all users ICQ and SKYPE traffic must be allowed by the FW without any blocking and rest of the things must be blocked like www, https or etc and for givivg the access of rest of the things I want to allow only few users by doing few settings on FW as u adviced or can go with Proxy. Please advice!!

0 Helpful

Go to solution
ray_stone
Level 1
Level 1
In response to ray_stone

‎09-29-2008 05:37 AM

Please advice??

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to ray_stone

‎09-29-2008 10:13 PM

try the following

access-list 100 permit tcp/udp source any eq [tcp/udp messenger port number]

access-lsit 100 permit tcp source [IPs for who u want them to use internet] any eq http/https

if helpful Rate

0 Helpful

Go to solution
ray_stone
Level 1
Level 1
In response to Marwan ALshawi

‎09-29-2008 11:21 PM

Thanks!!! Is it possible through MFP. Please suggest...which one option is better to implement.

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to ray_stone

‎09-30-2008 05:12 AM

ray the thing is

with ACL u r working on L3/L4 while with MPF u work on L7 and with application layer u can have more flixibilty

for example in ACL u can permit or deny http traffic while with mpf u can only deny any undesired content in the http header

i would say try both ways and see which one will help u more

maybe u need both each one to do part of the job at least u have the idea now

good luck

if helpful Rate

0 Helpful

Go to solution
ray_stone
Level 1
Level 1
In response to Marwan ALshawi

‎09-30-2008 06:36 AM

Thanks!!! got it

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card