Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
7
Replies

Beginner ACL Questing regarding Internet only access

Wolfgang
Level 1
Level 1

‎10-08-2015 04:27 AM - edited ‎03-11-2019 11:43 PM

Hey Cisco Folks!

first, forgive me i'm a absolut ASA beginner ;) - Worked with Stonesoft and PFsense before.

Follow scenario:

Inside-Interface on a ASA-5585-X with latest OS has some ACL's defined to DMZ, other MPLS networks and so on.
Default Internet Access is solved by passing all 80/443 Traffic to a Squid Proxy (Not transparent)
Now i have the requirement to let traffic pass the Inside LAN in direction to Outside but only Skype.

I saw a lot options but no option was like a "Source Inside Destination Internet Service Any"

Is it really true that i have to setup this complicated?

-Inside-Interface-
Allow DMZ Stuff and so an
Deny Management Stuff (Hopefully don't forget some other stuff....)
Allow dest any service any

And let the Firepower Processor do the rest, e.g. let the Sourcefire detect Skype and allow it and rest deny?!

Why is there no possibility to let only traffic in direction to internet pass? With Stonesoft there was a auto generated "Not Local Protected" Object and on PFSense i can let traffic flow to a interface directly. Or do i miss understand all and there is a easy what to get this on a device (2 ASA Failover pairs) which costs >120k $

Really thanks for your input!

Wolfgang

Labels:
0 Helpful
7 Replies 7

Rishabh Seth
Level 7
Level 7

‎10-08-2015 05:16 AM

Hi,

On ASA there are different ways by which you can achieve access control. You can use combinations of IP, Ports to permit/ deny traffic. With the addition of FirePOWER services you have more granular control over your traffic.

Now applications such as skype can hop ports and it difficult to block with just layer 3-4 information.

Here application identification of FirePOWER can help in identifying the application and then apply the action that you want to take.

 

On ASA you create Policy-maps to redirect traffic for inspection by services module (FirePOWER).

Based on your requirement you can create class-maps to filter traffic which should be sent for inspection by FirePOWER or not. 

Hope it helps!!!

 

Thanks,

R.Seth

0 Helpful

Wolfgang
Level 1
Level 1
In response to Rishabh Seth

‎10-08-2015 05:26 AM

Hi,

 

thanks for your reply. Thats already done, the firepower is configured to let Skype traffic trough. But my question was, how can i accomplish to let only traffic flow to the internet interface but to no other interface. The "dest any service any" is the only way i can see from ASA side... which is ugly.

 

Thanks!

 

Wolfgang

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Wolfgang

‎10-08-2015 05:33 AM

The traffic flow on ASA is: 

ACL on ingress interface>>> Policies on FirePOWER >>> Policies on egress interface.

Once the traffic is permitted by the FirePOWER device, the egress interface will be decided by the ASA based on route/static NAT. 

So when you say "dest any service any" are you talking about ACL on egress interface?

 

Thanks,

R.Seth 

0 Helpful

Wolfgang
Level 1
Level 1
In response to Rishabh Seth

‎10-08-2015 05:40 AM

Thats correct but did not answer my question ;)


How would you let traffic from Inside flow _only_ to Outside when you have a lot other interfaces (DMZ, Partner and so on) which have the same or higher security level and ACL's on it.

Or let me ask you the other way, why is a Interface Security Level obsolete as soon as there is a ACL on it? If i define dest any service any on a interface with lets say security level 50, this ACL allows to get higher up to level 100 interfaces.

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Wolfgang

‎10-08-2015 05:51 AM

So you can use combination of ACLs on ingress and egress interfaces to achieve the your requirement. 

Say you want to control traffic from A (at security level50) to B(at security level100). By default lower to higher security level will be blocked but when you use ACL then it would take precedence.

Now to control traffic from A to B you can apply ACL in out direction on interface B.

Hope it helps!!!.

Thanks,

R.Seth

0 Helpful

Wolfgang
Level 1
Level 1
In response to Rishabh Seth

‎10-08-2015 05:56 AM

Understood. There is also no easier way to let traffic flow from inside to outside only... well thats a real pity :( Thanks for your time!

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Wolfgang

‎10-08-2015 05:58 AM

You can create an based on your security requirement and apply it on different interfaces, this would allow you to reuse same ACL.

 

Hope it helps!!

Thanks,

R.Seth

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card