Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Internet Filtering

I'm looking to lock down our outbound internet access list, our previous admin set up the outbound list on the firewalls with an ip any any rule, now we have to lock it down. Other then asking people what ports they need open to what IP's, how do you guys recommend going through and getting a list of ports I need open. I have all the syslogs and I've been going through it manualy gathering ports...but it seems like such a tedious, unreliable task since I know I'll miss alot.


Re: ASA Internet Filtering

The only way to really know is to get everyone together and find out what apps run on what ports. Then create object groups and add the ports as you need them. In the object group you just add the ports and it does nothing to your ACL you apply. It just adds the additional ports to the ACL via the object group

New Member

Re: ASA Internet Filtering

Yea I was kind of afraid that's the only answer...that's basically what I've been doing, I was just hoping someone knew of some easier way. :)


Re: ASA Internet Filtering

good or bad

I would start with general port use.

Create a temporary grouping of ports you know are in use.

You can get a sniff of traffic using ethereal or something like that which is free and just capture some traffic and parse through it.

Then add in what you believe you need.

One way to find out if a port is needed is to put up a ACL and find out who yells. Not always easy but a guarentee to find what you need.

If you do this I would check to see if ASA's can do object groups. when creating an object group and need to make changes you affect the object group only and it changes the ACL for you. When adding new ports it is very easy and removing them is just as easy.

Re: ASA Internet Filtering

Might want to set up NBAR protocol discovery to see what is running now. That will make the analysis easier at least, even if you have to stick an NBAR-enabled router in the link as a temporary measure. Search CCO for NBAR and you should find info.



New Member

Re: ASA Internet Filtering

I just went through this exercise, jumping through the PCI hoops.

I added the known ports first, then added a "log" to the permit any any to see what was left going out.

Sending the logs to Kiwi syslog server and a little filtering helped to see what I needed to open up.


CreatePlease to create content