Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
5
Replies

ASA Internet Filtering

niro
Level 1
Level 1

‎04-07-2008 08:29 AM - edited ‎03-03-2019 09:27 PM

I'm looking to lock down our outbound internet access list, our previous admin set up the outbound list on the firewalls with an ip any any rule, now we have to lock it down. Other then asking people what ports they need open to what IP's, how do you guys recommend going through and getting a list of ports I need open. I have all the syslogs and I've been going through it manualy gathering ports...but it seems like such a tedious, unreliable task since I know I'll miss alot.

Labels:
0 Helpful
5 Replies 5

Rick Morris
Level 6
Level 6

‎04-07-2008 10:04 AM

The only way to really know is to get everyone together and find out what apps run on what ports. Then create object groups and add the ports as you need them. In the object group you just add the ports and it does nothing to your ACL you apply. It just adds the additional ports to the ACL via the object group

0 Helpful

niro
Level 1
Level 1
In response to Rick Morris

‎04-07-2008 10:59 AM

Yea I was kind of afraid that's the only answer...that's basically what I've been doing, I was just hoping someone knew of some easier way. :)

0 Helpful

Rick Morris
Level 6
Level 6
In response to niro

‎04-08-2008 05:14 AM

good or bad

I would start with general port use.

Create a temporary grouping of ports you know are in use.

You can get a sniff of traffic using ethereal or something like that which is free and just capture some traffic and parse through it.

Then add in what you believe you need.

One way to find out if a port is needed is to put up a ACL and find out who yells. Not always easy but a guarentee to find what you need.

If you do this I would check to see if ASA's can do object groups. when creating an object group and need to make changes you affect the object group only and it changes the ACL for you. When adding new ports it is very easy and removing them is just as easy.

0 Helpful

PAUL TRIVINO
Level 3
Level 3

‎04-07-2008 02:29 PM

Might want to set up NBAR protocol discovery to see what is running now. That will make the analysis easier at least, even if you have to stick an NBAR-enabled router in the link as a temporary measure. Search CCO for NBAR and you should find info.

HTH

Paul

0 Helpful

gefuchs
Level 1
Level 1

‎04-10-2008 09:35 AM

I just went through this exercise, jumping through the PCI hoops.

I added the known ports first, then added a "log" to the permit any any to see what was left going out.

Sending the logs to Kiwi syslog server and a little filtering helped to see what I needed to open up.

Greg

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card