https://community.cisco.com/t5/network-security/limiting-outbound-access/m-p/1456011#M663694 <P>Hi,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; I am currently using an ASA 5505 with Security Plus License (P/N: ASA5505-SEC-BUN-K9) Appliance.&nbsp; What I am trying to do is create a multiple network and be completely separated from each other and on the inside interface (or network), I want to limit the outbound traffic.&nbsp; I have at least 14 inside clients where they would be completely restricted to access the internet except for a specific IP Address and specific port.&nbsp; All the rest of the IP Addresses on that subnet&nbsp; would only have access to the internet if they have specified a username and password.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Please see the below configuration and please give me your feedback as to what other things I can improve.</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; !-- 14 Clients<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.1 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.1 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.2 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.2 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.3 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.3 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.5 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.5 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.6 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.6 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.7 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.8 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.9 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.9 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.10 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq 6260<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.1 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.1 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.2 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.2 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.3 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.3 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 8.8.4.4 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 8.8.4.4 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 8.8.8.8 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 8.8.8.8 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended deny ip 10.12.1.0 255.255.255.240 any <BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit ip any any <BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-group Firewall_Policy in interface inside</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; !-- AAA Configuration<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa-server AuthInbound protocol radius<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa-server AuthInbound (inside) host 10.12.1.245 sharedsecret timeout 5</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication include any inside 10.12.1.0 255.255.255.0 0 0 AuthInbound</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa-server svrgrp1 protocol radius<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; max-failed-attempts 3</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.7 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.8 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.9 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude tcp/6260 inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; I hope that someone can recommend if there are other better alternative to this type of configuration?&nbsp; Also, care there anything I have to add in order to maintain a more secure and efficient environment?&nbsp; Please school me.</P><P></P><P>Thank you,</P><P></P><P>Russell</P> Mon, 11 Mar 2019 17:55:35 GMT rmanapat 2019-03-11T17:55:35Z https://community.cisco.com/t5/network-security/limiting-outbound-access/m-p/1456011#M663694 <P>Hi,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; I am currently using an ASA 5505 with Security Plus License (P/N: ASA5505-SEC-BUN-K9) Appliance.&nbsp; What I am trying to do is create a multiple network and be completely separated from each other and on the inside interface (or network), I want to limit the outbound traffic.&nbsp; I have at least 14 inside clients where they would be completely restricted to access the internet except for a specific IP Address and specific port.&nbsp; All the rest of the IP Addresses on that subnet&nbsp; would only have access to the internet if they have specified a username and password.</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; Please see the below configuration and please give me your feedback as to what other things I can improve.</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; !-- 14 Clients<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.1 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.1 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.2 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.2 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.3 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.3 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.5 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.5 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.6 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.6 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.7 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.8 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.9 eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.9 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.10 eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 208.xxx.152.4 eq 6260<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.1 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.1 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.2 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.2 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 4.2.2.3 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 4.2.2.3 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 8.8.4.4 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 8.8.4.4 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp 10.12.1.0 255.255.255.240 host 8.8.8.8 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp 10.12.1.0 255.255.255.240 host 8.8.8.8 eq domain<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended deny ip 10.12.1.0 255.255.255.240 any <BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit ip any any <BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-group Firewall_Policy in interface inside</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; !-- AAA Configuration<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa-server AuthInbound protocol radius<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa-server AuthInbound (inside) host 10.12.1.245 sharedsecret timeout 5</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication include any inside 10.12.1.0 255.255.255.0 0 0 AuthInbound</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa-server svrgrp1 protocol radius<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; max-failed-attempts 3</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.7 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.8 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.9 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude tcp/6260 inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound</P><P></P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; I hope that someone can recommend if there are other better alternative to this type of configuration?&nbsp; Also, care there anything I have to add in order to maintain a more secure and efficient environment?&nbsp; Please school me.</P><P></P><P>Thank you,</P><P></P><P>Russell</P> Mon, 11 Mar 2019 17:55:35 GMT https://community.cisco.com/t5/network-security/limiting-outbound-access/m-p/1456011#M663694 rmanapat 2019-03-11T17:55:35Z https://community.cisco.com/t5/network-security/limiting-outbound-access/m-p/1456012#M663695 <HTML><HEAD></HEAD><BODY><P>Russell,</P><P></P><P>Firstly - there is a nice function called "Objects" see the below:-</P><P></P><P><A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml</A></P><P></P><P>I would suggest that you create a group for src/dst IP addresses, and TCP/UDP ports - this will reduce your acl.</P><P>Once you are happy with that - we will address future proofing the config/requirements!</P><P></P><P>HTH&gt;</P></BODY></HTML> Mon, 07 Jun 2010 18:31:29 GMT https://community.cisco.com/t5/network-security/limiting-outbound-access/m-p/1456012#M663695 andrew.prince 2010-06-07T18:31:29Z https://community.cisco.com/t5/network-security/limiting-outbound-access/m-p/1456013#M663697 <HTML><HEAD></HEAD><BODY><P>Sorry for the delay.&nbsp; I have modified my access-list to use object-group.&nbsp; Please see the modified configuration and anybody who can recommend maybe a more efficient and secure environment than my current configuration, I'll appreciate it.&nbsp; By the way, just so you know, I don't have any DMZ or any port being allowed from the outside interface to inside.&nbsp; Here's the configuration I currently have:</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; object-group network Lanes<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object 10.12.1.0 255.255.255.240<BR />&nbsp;&nbsp;&nbsp;&nbsp; object-group network CPAddress<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.1<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.2<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.3<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.4<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.5<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.6<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.7<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.8<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.9<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 208.xxx.152.10<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object 203.xxx.152.1 255.255.255.224<BR />&nbsp;&nbsp;&nbsp;&nbsp; object-group network DNS<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description: DNS Servers Address<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 4.2.2.1<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 4.2.2.2<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 4.2.2.3<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 8.8.4.4<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; network-object host 8.8.8.8<BR />&nbsp;&nbsp;&nbsp;&nbsp; object-group service CPPorts tcp<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port-object eq www<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port-object eq https<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port-object eq 6260<BR />&nbsp;&nbsp;&nbsp;&nbsp; object-group service DNSPorts tcp-udp<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; description: DNS Servers TCP-UPD Ports<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port-object eq domain</P><P>&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp object-group Lanes object-group CPAddress object-group CPPorts <BR />&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit tcp object-group Lanes object-group DNS object-group DNSPorts <BR />&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit udp object-group Lanes object-group DNS object-group DNSPorts <BR />&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended deny ip object-group Lanes any <BR />&nbsp;&nbsp;&nbsp;&nbsp; access-list Firewall_Policy extended permit ip any any <BR />&nbsp;&nbsp;&nbsp;&nbsp; access-group Firewall_Policy in interface inside</P><P>&nbsp;&nbsp;&nbsp;&nbsp; aaa-server AuthInbound protocol radius<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa-server AuthInbound (inside) host 10.12.1.245 sharedsecret timeout 5</P><P>&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication include any inside 10.12.1.0 255.255.255.0 0 0 AuthInbound</P><P>&nbsp;&nbsp;&nbsp;&nbsp; aaa-server svrgrp1 protocol radius<BR />&nbsp;&nbsp;&nbsp;&nbsp; max-failed-attempts 3</P><P>&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.5 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.7 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.8 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.6 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 208.xxx.152.9 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude tcp/6260 inside 10.12.1.0 255.255.255.0 208.xxx.152.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude http inside 10.12.1.0 255.255.255.0 203.xxx.152.1 255.255.255.224 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude https inside 10.12.1.0 255.255.255.0 203.xxx.152.1 255.255.255.224 AuthInbound</P><P>&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; aaa authentication exclude 53 inside 10.12.1.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound<BR />&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Thank you again in advance and please school me.</P><P></P><P>Russell</P></BODY></HTML> Thu, 17 Jun 2010 17:17:20 GMT https://community.cisco.com/t5/network-security/limiting-outbound-access/m-p/1456013#M663697 rmanapat 2010-06-17T17:17:20Z