Solved: ASA - Allow Traffic via Proxy Deny All Other

karl_009 · ‎09-27-2012

Hi,

I have an issue with how to design ASA firewall access lists or service policy rules for my scenario.

We are now using a third party proxy service that requires us to enter in gateway.proxy.net:80 for example in IE, the way its set up now internet access is allowed for everyone on are network.

What needs to be done is allow access to gateway.proxy.net:80, deny all other traffic to the internet.

In testing I have been able to get the IP address of the proxy service and add that as a access rule, however if that static IP where to change it would cause disruption.

Using Wireshark I can see the destination IP address is that of the proxy.

IOS in use is asa822-k8.bin with security plus and asdm-631.bin.

Many Thanks for any advice.

Karl

Jouni Forss · ‎09-27-2012

Hi,

So you want to allow HTTP / TCP/80 traffic only to that one address but you are wondering how to implement the rules incase the IP address of the Proxy changes?

In software 8.4(2) you can use names in the access-list instead of IP-addresses

For example I did a simple test to block Facebook (even though the below configuration wouldnt handle the situation that well):

dns domain-lookup outside

dns server-group DefaultDNS

name-server x.x.x.x

name-server y.y.y.y

object network FACEBOOK-FQDN

fqdn www.facebook.com

access-list INSIDE-IN remark Block Facebook FQDN

access-list INSIDE-IN extended deny ip any object FACEBOOK-FQDN

The above could be converted to permit something also instead of blocking something.

For example

dns domain-lookup outside

dns server-group DefaultDNS

name-server x.x.x.x

name-server y.y.y.y

object network PROXY-FQDN

fqdn gateway.proxy.net

access-list INSIDE-IN remark Permit Proxy FQDN

access-list INSIDE-IN extended permit tcp any object Proxy-FQDN eq 80

access-list INSIDE-IN remark Deny other HTTP traffic

access-list INSIDE-IN deny tcp any any eq 80

The above configurations might also need some tweaking in setups where the destination IP address changes frequently so the ASA can determine the correct IP.

Ofcourse in this situation you would have to upgrade the software on your ASA (and perhaps the memory to support 8.3 and above software requirements) not to mention change/migrate possible NAT and access-list configurations. Still, thought I'd mention about it.

Heres a link to a document on these forums which explains the above situation better

https://supportforums.cisco.com/docs/DOC-17014

To be honest I havent had to do similiar setups before as usually theres an Ironport coupled with the ASAs.

- Jouni

View solution in original post

Jouni Forss · ‎09-27-2012

Hi,

So you want to allow HTTP / TCP/80 traffic only to that one address but you are wondering how to implement the rules incase the IP address of the Proxy changes?

In software 8.4(2) you can use names in the access-list instead of IP-addresses

For example I did a simple test to block Facebook (even though the below configuration wouldnt handle the situation that well):

dns domain-lookup outside

dns server-group DefaultDNS

name-server x.x.x.x

name-server y.y.y.y

object network FACEBOOK-FQDN

fqdn www.facebook.com

access-list INSIDE-IN remark Block Facebook FQDN

access-list INSIDE-IN extended deny ip any object FACEBOOK-FQDN

The above could be converted to permit something also instead of blocking something.

For example

dns domain-lookup outside

dns server-group DefaultDNS

name-server x.x.x.x

name-server y.y.y.y

object network PROXY-FQDN

fqdn gateway.proxy.net

access-list INSIDE-IN remark Permit Proxy FQDN

access-list INSIDE-IN extended permit tcp any object Proxy-FQDN eq 80

access-list INSIDE-IN remark Deny other HTTP traffic

access-list INSIDE-IN deny tcp any any eq 80

The above configurations might also need some tweaking in setups where the destination IP address changes frequently so the ASA can determine the correct IP.

Ofcourse in this situation you would have to upgrade the software on your ASA (and perhaps the memory to support 8.3 and above software requirements) not to mention change/migrate possible NAT and access-list configurations. Still, thought I'd mention about it.

Heres a link to a document on these forums which explains the above situation better

https://supportforums.cisco.com/docs/DOC-17014

To be honest I havent had to do similiar setups before as usually theres an Ironport coupled with the ASAs.

- Jouni

karl_009 · ‎09-27-2012

Hi JouniForss,

Thanks for the reply.

I have seen this way of doing it but wasn’t available to be via 8.22, do you know if your able to upgrade to 8.4 with out buying new licences for the ASA?

Or can it be upgraded without any issues?

Many Thanks

Karl

Jouni Forss · ‎09-27-2012

Hi,

I don't think you need any new licenses but you do need to get the new software from somewhere.

I'm not sure what kind of contract/service you need with Cisco to be able to download newer software (as I dont handle that kind of things in my work). Most of the 8.3 - 8.4 software ASAs I've configured lately have been with the latest software as they have been new devices.

I think you can upgrade the ASA from 8.2 to 8.4 (maybe in steps) but I've never taken a change with the ASA converting the configurations to new format (as NAT/ACL configurations change considerably in the 8.3/8.4 software compared to 8.2) so I've always written the NAT configuration again myself. Takes more time ofcourse but the configurations are more clearer and I know whats on the device after update.

Also as I said before you might even need to upgrade the ASAs memory if its an older ASA. Newer ASAs already come with enough RAM to support new software (naturally).

If you happen to have a Failover environment upgrading to 8.3/8.4 also means that your ASA firewalls licenses dont need to be identical anymore. In other words, when you buy licenses to get new features in the future, you only need license for the Primary unit and the Secondary unit will get it too. (There are some limitations to my understanding if the Primary unit is broken and not replaced during some time period, maybe a month)

- Jouni