ASA 5510 Firewall internet Restriction based on IP address and block rest users excluding Mails

hemant.yadav · ‎03-30-2012

Hi,

As i have assignment to create access list based on IP address like we have to allow internet access this IP range 192.168.172.201 to 212.

And rest users we have to block excluding Mails.

Please help.

Thanks,

Regards,

Hemant Yadav

varrao · ‎03-30-2012

Hello Hemant,

What you would need to do is:

access-list inside_access_out permit ip host 192.168.172.201 any

access-list inside_access_out permit ip host 192.168.172.202 any

access-list inside_access_out permit ip host 192.168.172.203 any

access-list inside_access_out permit ip host 192.168.172.204 any

....

access-list inside_access_out permit ip host 192.168.172.212 any

access-list inside_access_out permit tcp any any eq 25

access-list inside_access_out permit tcp any any eq 110

access-list inside_access_out deny ip any any

access-group inside_access_in in interface inside

This would achieve wat you want.

Hope that helps,

Thanks,

Varun

Thanks,
Varun Rao

hemant.yadav · ‎03-30-2012

Thanks Varun,

I appreciate your prompt response.

varrao · ‎03-30-2012

Hi Hemant,

Please do rate helpful posts.

Varun

Thanks,
Varun Rao

hemant.yadav · ‎03-30-2012

login as: Rakh

Rakh@192.168.172.1's

password:

Type help or '?' for a list of available commands.

FAST-HQ-ASA> en

Password: ***********

FAST-HQ-ASA# conf t

FAST-HQ-ASA(config)# access

FAST-HQ-ASA(config)# access-list inside

FAST-HQ-ASA(config)# access-list inside_access_out permit ip host 192.168.172.$

FAST-HQ-ASA(config)# access

FAST-HQ-ASA(config)# access-lis

FAST-HQ-ASA(config)# access-list inside_access_out permit any any eq 25

^

ERROR: % Invalid Hostname

FAST-HQ-ASA(config)# access-list inside_access_out permit tcp any any eq 25

FAST-HQ-ASA(config)# access-list inside_access_out permit tcp any any eq 110

FAST-HQ-ASA(config)# acce

FAST-HQ-ASA(config)# access-lis

FAST-HQ-ASA(config)# access-list inside_access_out deny ip any any

FAST-HQ-ASA(config)# ac

FAST-HQ-ASA(config)# acc

FAST-HQ-ASA(config)# access-group inside_access_in in inter

FAST-HQ-ASA(config)# access-group inside_access_in in interface inside

ERROR: access-list does not exist

FAST-HQ-ASA(config)# access-group inside_access_in interface inside

^

ERROR: % Invalid input detected at '^' marker.

FAST-HQ-ASA(config)# access-group inside_access_in in interface inside

ERROR: access-list does not exist

FAST-HQ-ASA(config)# access-group inside_access_in in interface inside

ERROR: access-list does not exist

FAST-HQ-ASA(config)# ERROR: access-list does not exist

^

ERROR: % Invalid input detected at '^' marker.

FAST-HQ-ASA(config)#

its give me error. access-list does not exist

varrao · ‎03-30-2012

Sorry about that:

It would be,

access-group inside_access_out in interface inside

Varun

Thanks,
Varun Rao

hemant.yadav · ‎03-30-2012

Hi Varun,

As from 201 to 212 Mail is working but browser is not working.

Thanks,

varrao · ‎03-30-2012

Can you please provide me the output of "show run" from the ASA???

Varun

Thanks,
Varun Rao

hemant.yadav · ‎03-30-2012

login as: Rakh

Rakh@192.168.172.1's

password:

Type help or '?' for a list of available commands.

FAST-HQ-ASA> en

Password:

Invalid password

Password: ***********

FAST-HQ-ASA# show rum

^

ERROR: % Invalid input detected at '^' marker.

FAST-HQ-ASA# show run

: Saved

:

ASA Version 8.3(1)

!

hostname FAST-HQ-ASA

enable password 7tt1ICjiO2a2/Hn2 encrypted

passwd U8oee3lIrDCUmSK2 encrypted

names

!

interface Ethernet0/0

description ASA Outside segment

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 62.173.33.67 255.255.255.240

!

interface Ethernet0/1

description VLAN AGGREGATION point

no nameif

no security-level

no ip address

!

interface Ethernet0/1.2

description INSIDE segment (User)

vlan 2

nameif INSIDE

security-level 100

ip address 192.168.172.1 255.255.255.0

!

interface Ethernet0/1.3

description LAN

vlan 3

nameif LAN

security-level 100

ip address 192.168.173.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network INSIDE

subnet 192.168.172.0 255.255.255.0

object network LAN

subnet 192.168.173.0 255.255.255.0

object network MAIL-SERVER

host 192.168.172.32

object network DENY-IP-INTERNET

range 192.168.172.121 192.168.172.200

object-group service serBLOCK-INTERNET tcp

port-object eq www

object-group network BLOCK-IP-INTERNET

network-object object DENY-IP-INTERNET

access-list 102 extended permit icmp any any time-exceeded

access-list 102 extended permit icmp any any echo-reply

access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp

access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https

access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET

access-list BLOCK-WWW extended permit ip any any

pager lines 24

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu LAN 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network INSIDE

nat (INSIDE,OUTSIDE) dynamic interface

object network LAN

nat (LAN,OUTSIDE) dynamic interface

object network MAIL-SERVER

nat (INSIDE,OUTSIDE) static 62.173.33.70

access-group OUTSIDE-IN in interface OUTSIDE

access-group BLOCK-WWW out interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh 192.168.172.37 255.255.255.255 INSIDE

ssh 192.168.173.10 255.255.255.255 LAN

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username Rakh password EV9pEo1UkhHJSbIW encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:1ee78d19f958efc6fd95f5e9d4e97b8d

: end

FAST-HQ-ASA#

varrao · ‎03-30-2012

Hi Hemant,

I do not see the access-lists that you added in there.

Are the incoming e-mail working or the outgoing??? According to your config, incoming should be working.

access-list inside_access_out permit ip host 192.168.172.201 any

access-list inside_access_out permit ip host 192.168.172.202 any

access-list inside_access_out permit ip host 192.168.172.203 any

access-list inside_access_out permit ip host 192.168.172.204 any

....

access-list inside_access_out permit ip host 192.168.172.212 any

access-list inside_access_out permit tcp any any eq 25 ------> Filter out going e-mail

access-list inside_access_out permit tcp any any eq 110

access-list inside_access_out deny ip any any

access-group inside_access_out in interface INSIDE

Thanks,

Varun

Thanks,
Varun Rao

hemant.yadav · ‎03-30-2012

this is my running config....

ASA Version 8.3(1)

!

hostname FAST-HQ-ASA

enable password 7tt1ICjiO2a2/Hn2 encrypted

passwd U8oee3lIrDCUmSK2 encrypted

names

!

interface Ethernet0/0

description ASA Outside segment

speed 100

duplex full

nameif OUTSIDE

security-level 0

ip address 62.173.33.67 255.255.255.240

!

interface Ethernet0/1

description VLAN AGGREGATION point

no nameif

no security-level

no ip address

!

interface Ethernet0/1.2

description INSIDE segment (User)

vlan 2

nameif INSIDE

security-level 100

ip address 192.168.172.1 255.255.255.0

!

interface Ethernet0/1.3

description LAN

vlan 3

nameif LAN

security-level 100

ip address 192.168.173.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network INSIDE

subnet 192.168.172.0 255.255.255.0

object network LAN

subnet 192.168.173.0 255.255.255.0

object network MAIL-SERVER

host 192.168.172.32

object network DENY-IP-INTERNET

range 192.168.172.121 192.168.172.200

object-group service serBLOCK-INTERNET tcp

port-object eq www

object-group network BLOCK-IP-INTERNET

network-object object DENY-IP-INTERNET

access-list 102 extended permit icmp any any time-exceeded

access-list 102 extended permit icmp any any echo-reply

access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq smtp

access-list OUTSIDE-IN extended permit tcp any host 192.168.172.32 eq https

access-list BLOCK-WWW extended deny tcp object-group BLOCK-IP-INTERNET any object-group serBLOCK-INTERNET

access-list BLOCK-WWW extended permit ip any any

access-list inside_access_out extended permit tcp any any eq smtp

access-list inside_access_out extended permit tcp any any eq pop3

access-list inside_access-out extended permit ip host 192.168.172.37 any

pager lines 24

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu LAN 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network INSIDE

nat (INSIDE,OUTSIDE) dynamic interface

object network LAN

nat (LAN,OUTSIDE) dynamic interface

object network MAIL-SERVER

nat (INSIDE,OUTSIDE) static 62.173.33.70

access-group OUTSIDE-IN in interface OUTSIDE

access-group BLOCK-WWW out interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 62.173.33.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh 192.168.172.37 255.255.255.255 INSIDE

ssh 192.168.173.10 255.255.255.255 LAN

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username Rakh password EV9pEo1UkhHJSbIW encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ad8c94aa7b27648d44ade65d80e924ae

: end

FAST-HQ-ASA#

hemant.yadav · ‎03-30-2012

my mails are working fine.

hemant.yadav · ‎03-30-2012

the access list i am applying.

Access-list inside_access_out permit ip host 192.168.172.37 any

Access-list inside_access_out permit ip host 192.168.172.201 any

Access-list inside_access_out permit ip host 192.168.172.202 any

Access-list inside_access_out permit ip host 192.168.172.203 any

Access-list inside_access_out permit ip host 192.168.172.204 any

Access-list inside_access_out permit ip host 192.168.172.205 any

Access-list inside_access_out permit ip host 192.168.172.206 any

Access-list inside_access_out permit ip host 192.168.172.207 any

Access-list inside_access_out permit ip host 192.168.172.208 any

Access-list inside_access_out permit ip host 192.168.172.209 any

Access-list inside_access_out permit ip host 192.168.172.210 any

Access-list inside_access_out permit ip host 192.168.172.211 any

Access-list inside_access_out permit ip host 192.168.172.212 any

Access-list inside_access_out permit tcp any any eq 25

Access-list inside_access_out permit tcp any any eq 110

Access-list inside_access_out deny ip any any

Access-group inside_access_out in interface INSIDE

after applying access list my mails are working fine but its also blocking permited IP.