09-27-2012 03:53 AM - edited 03-11-2019 04:59 PM
Hi,
I have an issue with how to design ASA firewall access lists or service policy rules for my scenario.
We are now using a third party proxy service that requires us to enter in gateway.proxy.net:80 for example in IE, the way its set up now internet access is allowed for everyone on are network.
What needs to be done is allow access to gateway.proxy.net:80, deny all other traffic to the internet.
In testing I have been able to get the IP address of the proxy service and add that as a access rule, however if that static IP where to change it would cause disruption.
Using Wireshark I can see the destination IP address is that of the proxy.
IOS in use is asa822-k8.bin with security plus and asdm-631.bin.
Many Thanks for any advice.
Karl
Solved! Go to Solution.
09-27-2012 04:34 AM
Hi,
So you want to allow HTTP / TCP/80 traffic only to that one address but you are wondering how to implement the rules incase the IP address of the Proxy changes?
In software 8.4(2) you can use names in the access-list instead of IP-addresses
For example I did a simple test to block Facebook (even though the below configuration wouldnt handle the situation that well):
dns domain-lookup outside
dns server-group DefaultDNS
name-server x.x.x.x
name-server y.y.y.y
object network FACEBOOK-FQDN
fqdn www.facebook.com
access-list INSIDE-IN remark Block Facebook FQDN
access-list INSIDE-IN extended deny ip any object FACEBOOK-FQDN
The above could be converted to permit something also instead of blocking something.
For example
dns domain-lookup outside
dns server-group DefaultDNS
name-server x.x.x.x
name-server y.y.y.y
object network PROXY-FQDN
fqdn gateway.proxy.net
access-list INSIDE-IN remark Permit Proxy FQDN
access-list INSIDE-IN extended permit tcp any object Proxy-FQDN eq 80
access-list INSIDE-IN remark Deny other HTTP traffic
access-list INSIDE-IN deny tcp any any eq 80
The above configurations might also need some tweaking in setups where the destination IP address changes frequently so the ASA can determine the correct IP.
Ofcourse in this situation you would have to upgrade the software on your ASA (and perhaps the memory to support 8.3 and above software requirements) not to mention change/migrate possible NAT and access-list configurations. Still, thought I'd mention about it.
Heres a link to a document on these forums which explains the above situation better
https://supportforums.cisco.com/docs/DOC-17014
To be honest I havent had to do similiar setups before as usually theres an Ironport coupled with the ASAs.
- Jouni
09-27-2012 04:34 AM
Hi,
So you want to allow HTTP / TCP/80 traffic only to that one address but you are wondering how to implement the rules incase the IP address of the Proxy changes?
In software 8.4(2) you can use names in the access-list instead of IP-addresses
For example I did a simple test to block Facebook (even though the below configuration wouldnt handle the situation that well):
dns domain-lookup outside
dns server-group DefaultDNS
name-server x.x.x.x
name-server y.y.y.y
object network FACEBOOK-FQDN
fqdn www.facebook.com
access-list INSIDE-IN remark Block Facebook FQDN
access-list INSIDE-IN extended deny ip any object FACEBOOK-FQDN
The above could be converted to permit something also instead of blocking something.
For example
dns domain-lookup outside
dns server-group DefaultDNS
name-server x.x.x.x
name-server y.y.y.y
object network PROXY-FQDN
fqdn gateway.proxy.net
access-list INSIDE-IN remark Permit Proxy FQDN
access-list INSIDE-IN extended permit tcp any object Proxy-FQDN eq 80
access-list INSIDE-IN remark Deny other HTTP traffic
access-list INSIDE-IN deny tcp any any eq 80
The above configurations might also need some tweaking in setups where the destination IP address changes frequently so the ASA can determine the correct IP.
Ofcourse in this situation you would have to upgrade the software on your ASA (and perhaps the memory to support 8.3 and above software requirements) not to mention change/migrate possible NAT and access-list configurations. Still, thought I'd mention about it.
Heres a link to a document on these forums which explains the above situation better
https://supportforums.cisco.com/docs/DOC-17014
To be honest I havent had to do similiar setups before as usually theres an Ironport coupled with the ASAs.
- Jouni
09-27-2012 05:06 AM
Hi JouniForss,
Thanks for the reply.
I have seen this way of doing it but wasn’t available to be via 8.22, do you know if your able to upgrade to 8.4 with out buying new licences for the ASA?
Or can it be upgraded without any issues?
Many Thanks
Karl
09-27-2012 05:18 AM
Hi,
I don't think you need any new licenses but you do need to get the new software from somewhere.
I'm not sure what kind of contract/service you need with Cisco to be able to download newer software (as I dont handle that kind of things in my work). Most of the 8.3 - 8.4 software ASAs I've configured lately have been with the latest software as they have been new devices.
I think you can upgrade the ASA from 8.2 to 8.4 (maybe in steps) but I've never taken a change with the ASA converting the configurations to new format (as NAT/ACL configurations change considerably in the 8.3/8.4 software compared to 8.2) so I've always written the NAT configuration again myself. Takes more time ofcourse but the configurations are more clearer and I know whats on the device after update.
Also as I said before you might even need to upgrade the ASAs memory if its an older ASA. Newer ASAs already come with enough RAM to support new software (naturally).
If you happen to have a Failover environment upgrading to 8.3/8.4 also means that your ASA firewalls licenses dont need to be identical anymore. In other words, when you buy licenses to get new features in the future, you only need license for the Primary unit and the Secondary unit will get it too. (There are some limitations to my understanding if the Primary unit is broken and not replaced during some time period, maybe a month)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide