Hello All,

I am new to ASA & looking for some guidance. We have internet access working via our ASA. We have lot of servers in our internal network with their apps/ services that make outbound connection requests to their respective vendor websites or all sorts of public domains. It is this traffic that we are trying to filter when passing thru the ASA.   I have a requirement that we need to allow outbound internet traffic only to specific domains like (Microsoft, Symantec) from a patching/updates point of view & Deny all other outbound traffic. I am sure this is a common scenario in every environment. We are not in a position to buy other 3rd party tools like web sense etc.

We have an inside interface called "LAB_LAN" and our Outside interface is called "Ren Internet". Our internal servers are located in this LAB_LAN network, they use this interface as their default GW.

Please find below our config.  Can someone please advise what ACL's do we need to put in to restrict traffic going out of LAB_LAN ?

=====================================================================

ASA Version 9.6(1)
!
hostname ciscoasa
domain-name mgmt.lab
enable password 8Ry2YjIyt7RRXU24 encrypted
names

!
interface GigabitEthernet0/0
shutdown
nameif vfnet
security-level 0
ip address 129.6.78.55 255.255.255.128
!
interface GigabitEthernet0/1
description Dmz Interface
nameif DMZ
security-level 80
ip address 10.100.1.1 255.255.255.0
!
interface GigabitEthernet0/2
description Public Interface for NCCOE testing
nameif Public-Test-NCCOE
security-level 80
ip address 129.6.1.5 255.255.255.0
!
interface GigabitEthernet0/3
description Ren internet interface
nameif REN_Internet
security-level 0
ip address 129.6.66.91 255.255.255.224
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description Testbed Lan
nameif lab_lan
security-level 80
ip address 10.100.0.1 255.255.255.0
!
interface Management0/0
description Management Interface
management-only
nameif management
security-level 100
ip address 10.100.2.6 255.255.255.0
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa961-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup REN_Internet
dns server-group DefaultDNS
name-server 129.6.16.1
domain-name mgmt.lab
same-security-traffic permit inter-interface
object network Plant_VLAN
subnet 172.16.1.0 255.255.255.0
description Plant_VLAN
object network Manf_VLAN
subnet 172.16.2.0 255.255.255.0
object network Process_Control
subnet 172.16.3.0 255.255.255.0
description Process_Control_
object network Ruggedcom
host 10.100.0.20
object network FieldBus-Network
subnet 192.168.1.0 255.255.255.0
object network internal-lab-lan
subnet 10.100.0.0 255.255.255.0
description Test Bed lan network
object network CTRL_SYS_Robotics
range 192.168.0.1 192.168.0.253
description CTRL_SYS_Robotics
object network obj-microsoft.com
fqdn microsoft.om
object network obj-ubuntu.com
fqdn ubuntu.com
object-group network DM_INLINE_NETWORK_1
network-object object Manf_VLAN
network-object object Plant_VLAN
network-object object Process_Control
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
port-object eq ssh
object-group network DM_INLINE_NETWORK_2
network-object object Manf_VLAN
network-object object Plant_VLAN
network-object object Process_Control
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object tcp
protocol-object udp
access-list lab_lan_access_in extended permit ip 10.100.0.0 255.255.255.0 any
access-list lab_lan_access_in extended permit icmp any any
access-list lab_lan_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 10.100.1.0 255.255.255.0
access-list lab_lan_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 129.6.1.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list lab_lan_access_out extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list REN_Internet_access_in extended permit icmp any any echo-reply log disable
pager lines 24
logging enable
logging trap warnings
logging asdm informational
logging device-id hostname
logging host lab_lan 10.100.0.14
mtu vfnet 1500
mtu DMZ 1500
mtu Public-Test-NCCOE 1500
mtu REN_Internet 1500
mtu lab_lan 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (lab_lan,vfnet) source dynamic any interface inactive
!
object network internal-lab-lan
nat (any,REN_Internet) dynamic interface
!
nat (management,vfnet) after-auto source dynamic any interface inactive
access-group REN_Internet_access_in in interface REN_Internet
access-group lab_lan_access_in in interface lab_lan
access-group lab_lan_access_out out interface lab_lan
router ospf 100
network 10.100.0.0 255.255.255.0 area 400
area 400
log-adj-changes
!
route REN_Internet 0.0.0.0 0.0.0.0 129.6.66.94 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server Mgmt-Radius protocol radius
aaa-server Mgmt-Radius (management) host 10.100.2.4
key *****
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication http console Mgmt-Radius LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.3.0 255.255.255.0 lab_lan
http 10.100.2.5 255.255.255.255 management
http 10.100.2.157 255.255.255.255 management
no snmp-server location
no snmp-server contact
no service resetoutbound
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
telnet 172.16.3.0 255.255.255.0 lab_lan
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.3.0 255.255.255.0 lab_lan
ssh 10.100.2.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
ntp server 10.100.0.15 source lab_lan prefer
tftp-server management 10.100.2.5 C:\tftp
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
dynamic-access-policy-record DfltAccessPolicy
username icsuser password P6FUAZab.KDm/ZR1 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:4f9ab1e9ba71d2e5ef0ebcd0f9ab8137
: end