06-02-2008 06:49 AM - edited 03-11-2019 05:53 AM
Hey everybody,
I got an ASA 5505 for a client, and defined outgoing rules ahead of time so that only http/https and smtp/pop3 access were allowed out to certain servers. The install went smooth (I just followed the wizard), but RIGHT as I was leaving I noticed that ALL outbound traffic was allowed!
I literally had to leave RIGHT THEN, but the last thing I noticed was an implicit rule in my list saying that all traffic to a less secure network was allowed. I could not edit or delete this rule, so I left the client quite frustrated. I do not see this "allow all outbound traffic" rule anywhere in my exported config.
Can someone help me narrow down why outbound traffic is wide open (and how to stop it)? I can post my config later this afternoon if it would help.
Thanks,
Brian
06-02-2008 07:08 AM
Brian
You can restrict traffic going out by creating an access-list and applying it to the inside interface. So of you just wanted to allow out http traffic
access-list inside_out permit tcp 192.168.5.0 255.255.255.0 any eq http
access-list inside_out deny ip any any
where 192.168.5.0/24 is the LAN.
access-group inside_out in interface inside
Jon
06-02-2008 07:18 AM
Jon,
Thanks for your quick reply. I do understand how to apply those commands you gave me, however, I'd like to do this in the GUI as I'm admittedly a firewall newbie, and its also helpful for me to "see" these rules since I share admin responsibility with another tech.
I'm wondering, though...if I try those commands you stated, will the GUI update itself to reflect those changes? Perhaps if I take a screenshot of my rules page now, then enter your commands and take another screenshot for comparison, perhaps THAT will reveal why outbound traffic was wide open?
I guess I'm also looking to find out if this "wide open outbound" functionality is as designed or a goof on my part.
Brian
Brian
06-02-2008 07:24 AM
Brian
To be honest i'm not that familiar with the GUI. I know in version 6.x of the Pix that using the CLI and the GUI (PDM) to configure the same firewall could lead to problems but i'm not sure with ADSM.
The "wide open outbound" is as designed an not a goof on your part. It could be argued that this is not the best default to take with a firewall but that is how it is.
Jon
06-02-2008 07:42 AM
ASDM will update automatically just fine - each time it loads it pulls the config from the text file anyway.
06-02-2008 08:23 AM
Jon/Srue,
Excellent...you guys answered my biggest questions. I bet I can nail it down from here. Will post back later if things go awry.
Brian
06-02-2008 01:05 PM
06-03-2008 05:02 AM
I think its because you have two ACL that apply to the Inside interface, the one permit any any to lower security interface, like the outside so every thing is allow.
In my config I have put all may incomming rules on the Outside interface, like smtp, http,pop3 etc. And on my inside interface a have, one typical a DMZ I have not allow any traffic out, just http and https and typical sql traffic from a DMZ to a inside network. But from another interface i allow all types of traffic out to the Internet (Big I).
PS: your acl about ICMP, if you run inspect icmp you dont need that ACL, then all ICMP reply into you network that is generated from you network is allowed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide