topic Re: Internet access control for cloud app in Network Security

Internet access control for cloud app

jima — Mon, 11 Mar 2019 19:48:21 GMT

I havae an ASA 5505 and have a need to keep a range of IP addresses pointed to cloud based app. Is there a way to control where they can go on the net using ACL's or some other method?

Thanks.

Re: Internet access control for cloud app

Jennifer Halim — Thu, 10 Feb 2011 03:58:37 GMT

Yes, you can, using the NAT with access-list.

Can you share more information on the cloup app ip addresses, and also which internal subnet you would like to NAT to a specific IP Address when traffic is destined to the cloud application, and what IP Address would you like to NAT it to?

Re: Internet access control for cloud app

jima — Thu, 10 Feb 2011 23:43:54 GMT

the IP is 207.x.x.x and I have 10 PC's that have DHCP assisgned addresses but they can be excluded, reserved or Static. 192.168.1.50-.100.

Re: Internet access control for cloud app

Jennifer Halim — Fri, 11 Feb 2011 01:40:30 GMT

OK, so assuming that this is only for outbound connection towards the cloud, and you would like to PAT it to 207.x.x.x, here is the config:

access-list nat-to-cloud permit ip 192.168.1.0 255.255.255.0 host

nat (inside) 2 access-list nat-to-cloud

global (outside) 2 207.x.x.x

Then "clear xlate" after the changes.

Hope that helps.

Re: Internet access control for cloud app

jima — Fri, 11 Feb 2011 03:10:08 GMT

Do I need an access-group command also?

Jim Avitable, MCSA, CCNA, Security +

javitable@cfl.rr.com

35 Hummingbird Lane

Ormond Beach, Fl 32174

C - 386-212-1309

H - 386-677-8924

Re: Internet access control for cloud app

Jennifer Halim — Fri, 11 Feb 2011 03:14:49 GMT

The access-list that I advise earlier is to be applied to the NAT statement.

Do you have any existing access-list applied to your inside interface? If you do, if it hasn't allowed outbound access to the Internet, then you would need to, otherwise, if it is already allowing outbound access to the internet, you don't have to add anything else.

Re: Internet access control for cloud app

jima — Wed, 16 Feb 2011 16:26:23 GMT

I want to allow about 10 users to have full internet access but only allow another 10 users (static IPs) to only have access to the cloud app. Can I do that by using an IP range like 192.168.1.80-100?

config file is attached.

Thanks for your help.

Re: Internet access control for cloud app

Jennifer Halim — Wed, 16 Feb 2011 23:18:51 GMT

Ahhh, ok, now I understand your requirement.

Let me just rephrase and see if that is the correct assumption:

- You would like a specific range of users (eg: 192.168.1.80-100) to only have access to this cloud base applications on the internet, but nothing else.

- While the rest of the users, you would like to have full internet access.

If the above assumptions are correct, here is what you can configure:

1) Let's pick a contiguous subnet so it's easier to write the access-list: say 192.168.1.80 - 192.168.1.95 (that gives you 16 addresses, with subnet of 255.255.255.240), or if you would like more addresses, you can go for 32 addresses (192.168.1.80 - 192.168.1.111).

2) Your current "inside_access_in" access-list is permitting all outbound users to the internet, so we need to configure access-list above the current "permit ip any any" for this cloud base application (it would be best if you know the port that this cloud base application uses so we can be more specific when allowing access). Again, let me assume that it uses TCP/80. Here is the example on what we need to configure:

access-list inside_access_in line 1 extended deny ip 192.168.1.80 255.255.255.240 any

access-list inside_access_in line 1 extended permit tcp 192.168.1.80 255.255.255.240 host eq 80

After you configure the above access-list in order, the bottom line will appear at the top, the top line will become the second line, and your last line will be your existing "permit ip any any" which is the correct order. If you check the output of "show access-list inside_access_in", it should be in the following order:

access-list inside_access_in extended permit tcp 192.168.1.80 255.255.255.240 host eq 80

access-list inside_access_in extended deny ip 192.168.1.80 255.255.255.240 any

access-list inside_access_in extended permit ip any any

Hope that makes sense, and pls confirm the cloud base application ip address and port, also the internal subnet that you only want access to this cloud base app. and I can provide you with the exact commands.

Re: Internet access control for cloud app

Jennifer Halim — Wed, 16 Feb 2011 23:20:20 GMT

BTW, if you only want 10 internal ip addresses exactly to have the access, we can also do that grouping it with object-group. Let me know exactly which IP, and i can help with the commands.

Re: Internet access control for cloud app

jima — Thu, 17 Feb 2011 17:58:12 GMT

Yes you are correct in your understanding of what I need to do. We can use 192.168.1.80-192.168.1.95 as you suggested, with a subnet of 255.255.255.240.

The Application is using port 5432 for database activity and port 80 for updating.

access-list inside_access_in line 1 extended deny 192.168.1.80 255.255.255.240 any

access-list insde_access_in line 1 extended permit tcp 192.168.1.80 255.255.255.240 host 207.x.x.x eq 5432

It means that it will allow access to 207.x.x.x and deny all others from that subnet.

Am I correct? How does the use of port 80 for updating affect?

Thanks.

Re: Internet access control for cloud app

Jennifer Halim — Thu, 17 Feb 2011 23:04:05 GMT

Correct...

You can add the following for port 80 after adding the other 2 lines advised earlier:

access-list inside_access_in line 1 extended permit tcp 192.168.1.80 255.255.255.240 host 207.x.x.x eq 80

For confirmation, once you have configured all the access-list lines, please feel free to share the output of "show access-list inside_access_in" to double confirm.

Re: Internet access control for cloud app

jima — Mon, 21 Feb 2011 16:55:04 GMT

Entered the commands and here is the result:

Thanks,

Re: Internet access control for cloud app

Jennifer Halim — Mon, 21 Feb 2011 22:23:47 GMT

Excellent, looks perfect to me.

Re: Internet access control for cloud app

cciesec2011 — Tue, 22 Feb 2011 00:40:00 GMT

'Then "clear xlate" after the changes.'

This is not technically accurate. Depending on the version of the code he is running on the ASA. There is a "bug" in some version of the ASA that "clear xlate" will do nothing. A better command would be "clear local-host".

Re: Internet access control for cloud app

jima — Wed, 23 Feb 2011 02:47:43 GMT

Why exactly must I do the "clear xlate" or "clear local-host" command? It seems to be working fine.

Thanks.

Re: Internet access control for cloud app

Jennifer Halim — Wed, 23 Feb 2011 03:03:01 GMT

The reason why you perform "clear xlate" or "clear local-host" is if you have existing connections through the firewall, the new translation command and/or new access-list will not take effect until the existing connections are cleared. If you don't have prior connection to the changes, then there is no requirement to clear them.