topic You can create an based on in Network Security

Beginner ACL Questing regarding Internet only access

Wolfgang — Tue, 12 Mar 2019 06:43:01 GMT

Hey Cisco Folks!

first, forgive me i'm a absolut ASA beginner 😉 - Worked with Stonesoft and PFsense before.

Follow scenario:

Inside-Interface on a ASA-5585-X with latest OS has some ACL's defined to DMZ, other MPLS networks and so on.
Default Internet Access is solved by passing all 80/443 Traffic to a Squid Proxy (Not transparent)
Now i have the requirement to let traffic pass the Inside LAN in direction to Outside but only Skype.

I saw a lot options but no option was like a "Source Inside Destination Internet Service Any"

Is it really true that i have to setup this complicated?

-Inside-Interface-
Allow DMZ Stuff and so an
Deny Management Stuff (Hopefully don't forget some other stuff....)
Allow dest any service any

And let the Firepower Processor do the rest, e.g. let the Sourcefire detect Skype and allow it and rest deny?!

Why is there no possibility to let only traffic in direction to internet pass? With Stonesoft there was a auto generated "Not Local Protected" Object and on PFSense i can let traffic flow to a interface directly. Or do i miss understand all and there is a easy what to get this on a device (2 ASA Failover pairs) which costs >120k $

Really thanks for your input!

Wolfgang

Hi,On ASA there are different

Rishabh Seth — Thu, 08 Oct 2015 12:16:44 GMT

Hi,

On ASA there are different ways by which you can achieve access control. You can use combinations of IP, Ports to permit/ deny traffic. With the addition of FirePOWER services you have more granular control over your traffic.

Now applications such as skype can hop ports and it difficult to block with just layer 3-4 information.

Here application identification of FirePOWER can help in identifying the application and then apply the action that you want to take.

On ASA you create Policy-maps to redirect traffic for inspection by services module (FirePOWER).

Based on your requirement you can create class-maps to filter traffic which should be sent for inspection by FirePOWER or not.

Hope it helps!!!

Thanks,

R.Seth

Hi, thanks for your reply.

Wolfgang — Thu, 08 Oct 2015 12:26:32 GMT

Hi,

thanks for your reply. Thats already done, the firepower is configured to let Skype traffic trough. But my question was, how can i accomplish to let only traffic flow to the internet interface but to no other interface. The "dest any service any" is the only way i can see from ASA side... which is ugly.

Thanks!

Wolfgang

The traffic flow on ASA is:

Rishabh Seth — Thu, 08 Oct 2015 12:33:24 GMT

The traffic flow on ASA is:

ACL on ingress interface>>> Policies on FirePOWER >>> Policies on egress interface.

Once the traffic is permitted by the FirePOWER device, the egress interface will be decided by the ASA based on route/static NAT.

So when you say "dest any service any" are you talking about ACL on egress interface?

Thanks,

R.Seth

Thats correct but did not

Wolfgang — Thu, 08 Oct 2015 12:40:01 GMT

Thats correct but did not answer my question 😉

How would you let traffic from Inside flow _only_ to Outside when you have a lot other interfaces (DMZ, Partner and so on) which have the same or higher security level and ACL's on it.

Or let me ask you the other way, why is a Interface Security Level obsolete as soon as there is a ACL on it? If i define dest any service any on a interface with lets say security level 50, this ACL allows to get higher up to level 100 interfaces.

So you can use combination of

Rishabh Seth — Thu, 08 Oct 2015 12:51:13 GMT

So you can use combination of ACLs on ingress and egress interfaces to achieve the your requirement.

Say you want to control traffic from A (at security level50) to B(at security level100). By default lower to higher security level will be blocked but when you use ACL then it would take precedence.

Now to control traffic from A to B you can apply ACL in out direction on interface B.

Hope it helps!!!.

Thanks,

R.Seth

Understood. There is also no

Wolfgang — Thu, 08 Oct 2015 12:56:00 GMT

Understood. There is also no easier way to let traffic flow from inside to outside only... well thats a real pity 😞 Thanks for your time!

You can create an based on

Rishabh Seth — Thu, 08 Oct 2015 12:58:27 GMT

You can create an based on your security requirement and apply it on different interfaces, this would allow you to reuse same ACL.

Hope it helps!!

Thanks,

R.Seth