Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
4
Replies

ASA - Security Configuration

BHconsultants88
Level 1
Level 1

‎07-16-2017 12:11 PM - edited ‎03-12-2019 02:42 AM

Hi all, I hope someone can help. I have a small network at a remote site that has suffered a security breach. I need to block all incoming and outgoing internet traffic. The only thing I want to allow is incoming and outgoing traffic for certain IP's on the internal LAN and DM_INLINE_NETWORK_5. 

Could someone check the attached the configuration and verify what I've done is correct please?

Thanks so much for any suggestions, it's very much appreciated.

Labels:
Preview file
15 KB
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎07-16-2017 03:14 PM

If you want to block everything ; then just shut down the outside interface, or unplug the Internet cable.

0 Helpful

BHconsultants88
Level 1
Level 1
In response to Philip D'Ath

‎07-16-2017 03:47 PM

Hi Philip, thanks for the reply. Unfortunately, I'm unable to do that as the site requires the following access

access-list Inside_access_in extended permit tcp object-group BLADEInternal object-group DM_INLINE_NETWORK_5

access-list Inside_access_in extended permit ip object-group BLADEInternal object-group DM_INLINE_NETWORK_5

Is there anything else I need to configure on the ASA as they are still not able to connect.

Thanks in advance

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to BHconsultants88

‎07-16-2017 08:55 PM

Hi,

Can you please share the packet tracer output for the concerned traffic?

Regards,

Aditya

0 Helpful

BHconsultants88
Level 1
Level 1
In response to Aditya Ganjoo

‎07-16-2017 10:16 PM

Thank you very much for your reply Aditya, I am really in need of some assistance here. I've done two packet traces as below:

The first one is showing ALLOW and this is good as this is the one access that I want to allow. The second also looks fine as I want it to drop all other traffic.

  • packet-tracer input Inside tcp 10.154.246.115 80 165.2.111.17 80
  • packet-tracer input Inside tcp 10.154.246.115 80 10.80.70.241 ftp

In summary, I want to allow all traffic to 165.2 subnets specified and drop the rest. Does this look ok to you?

----------------------------------------------------------------------------------------------------------

F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 165.2.111.17 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit tcp object-group BLADEInternal object-group DM_INLINE_NETWORK_5
object-group network BLADEInternal
network-object 10.55.246.0 255.255.255.0
network-object host 10.154.246.77
network-object host 10.154.246.12
network-object host 10.154.246.115
network-object host 10.154.246.72
network-object host 10.154.246.93
object-group network DM_INLINE_NETWORK_5
network-object 165.2.109.0 255.255.255.0
network-object 165.2.111.0 255.255.255.0
network-object 165.2.122.0 255.255.255.0
network-object 165.2.177.0 255.255.255.0
network-object 165.2.187.0 255.255.255.0
network-object 165.2.58.0 255.255.255.0
network-object 165.2.60.0 255.255.255.0
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source dynamic any interface
Additional Information:
Dynamic translate 10.154.246.115/80 to 59.201.39.98/114

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 636183438, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

----------------------------------------------------------------------------------------------------------

F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 10.56.40.127 23

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended deny ip any any
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-----------------------------------------------------------------------------------------

F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 10.80.70.241 ftp

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended deny ip any any
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card