cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2876
Views
0
Helpful
7
Replies

ASA 5505 - how to stop it from allowing all outbound traffic?

RouterPouter
Level 1
Level 1

Hey everybody,

I got an ASA 5505 for a client, and defined outgoing rules ahead of time so that only http/https and smtp/pop3 access were allowed out to certain servers. The install went smooth (I just followed the wizard), but RIGHT as I was leaving I noticed that ALL outbound traffic was allowed!

I literally had to leave RIGHT THEN, but the last thing I noticed was an implicit rule in my list saying that all traffic to a less secure network was allowed. I could not edit or delete this rule, so I left the client quite frustrated. I do not see this "allow all outbound traffic" rule anywhere in my exported config.

Can someone help me narrow down why outbound traffic is wide open (and how to stop it)? I can post my config later this afternoon if it would help.

Thanks,

Brian

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Brian

You can restrict traffic going out by creating an access-list and applying it to the inside interface. So of you just wanted to allow out http traffic

access-list inside_out permit tcp 192.168.5.0 255.255.255.0 any eq http

access-list inside_out deny ip any any

where 192.168.5.0/24 is the LAN.

access-group inside_out in interface inside

Jon

Jon,

Thanks for your quick reply. I do understand how to apply those commands you gave me, however, I'd like to do this in the GUI as I'm admittedly a firewall newbie, and its also helpful for me to "see" these rules since I share admin responsibility with another tech.

I'm wondering, though...if I try those commands you stated, will the GUI update itself to reflect those changes? Perhaps if I take a screenshot of my rules page now, then enter your commands and take another screenshot for comparison, perhaps THAT will reveal why outbound traffic was wide open?

I guess I'm also looking to find out if this "wide open outbound" functionality is as designed or a goof on my part.

Brian

Brian

Brian

To be honest i'm not that familiar with the GUI. I know in version 6.x of the Pix that using the CLI and the GUI (PDM) to configure the same firewall could lead to problems but i'm not sure with ADSM.

The "wide open outbound" is as designed an not a goof on your part. It could be argued that this is not the best default to take with a firewall but that is how it is.

Jon

ASDM will update automatically just fine - each time it loads it pulls the config from the text file anyway.

Jon/Srue,

Excellent...you guys answered my biggest questions. I bet I can nail it down from here. Will post back later if things go awry.

Brian

Hey gents,

One more question. I did find a screenshot of the security rules for the firewall before I noticed that ALL outbound traffic (SSH/FTP/ICMP pings) were still allowed. Maybe I'm not understanding outside/inside rules entirely and have the rules in the wrong place?

Brian

I think its because you have two ACL that apply to the Inside interface, the one permit any any to lower security interface, like the outside so every thing is allow.

In my config I have put all may incomming rules on the Outside interface, like smtp, http,pop3 etc. And on my inside interface a have, one typical a DMZ I have not allow any traffic out, just http and https and typical sql traffic from a DMZ to a inside network. But from another interface i allow all types of traffic out to the Internet (Big I).

PS: your acl about ICMP, if you run inspect icmp you dont need that ACL, then all ICMP reply into you network that is generated from you network is allowed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: