07-16-2017 12:11 PM - edited 03-12-2019 02:42 AM
Hi all, I hope someone can help. I have a small network at a remote site that has suffered a security breach. I need to block all incoming and outgoing internet traffic. The only thing I want to allow is incoming and outgoing traffic for certain IP's on the internal LAN and DM_INLINE_NETWORK_5.
Could someone check the attached the configuration and verify what I've done is correct please?
Thanks so much for any suggestions, it's very much appreciated.
07-16-2017 03:14 PM
If you want to block everything ; then just shut down the outside interface, or unplug the Internet cable.
07-16-2017 03:47 PM
Hi Philip, thanks for the reply. Unfortunately, I'm unable to do that as the site requires the following access
access-list Inside_access_in extended permit tcp object-group BLADEInternal object-group DM_INLINE_NETWORK_5
access-list Inside_access_in extended permit ip object-group BLADEInternal object-group DM_INLINE_NETWORK_5
Is there anything else I need to configure on the ASA as they are still not able to connect.
Thanks in advance
07-16-2017 08:55 PM
Hi,
Can you please share the packet tracer output for the concerned traffic?
Regards,
Aditya
07-16-2017 10:16 PM
Thank you very much for your reply Aditya, I am really in need of some assistance here. I've done two packet traces as below:
The first one is showing ALLOW and this is good as this is the one access that I want to allow. The second also looks fine as I want it to drop all other traffic.
In summary, I want to allow all traffic to 165.2 subnets specified and drop the rest. Does this look ok to you?
----------------------------------------------------------------------------------------------------------
F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 165.2.111.17 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit tcp object-group BLADEInternal object-group DM_INLINE_NETWORK_5
object-group network BLADEInternal
network-object 10.55.246.0 255.255.255.0
network-object host 10.154.246.77
network-object host 10.154.246.12
network-object host 10.154.246.115
network-object host 10.154.246.72
network-object host 10.154.246.93
object-group network DM_INLINE_NETWORK_5
network-object 165.2.109.0 255.255.255.0
network-object 165.2.111.0 255.255.255.0
network-object 165.2.122.0 255.255.255.0
network-object 165.2.177.0 255.255.255.0
network-object 165.2.187.0 255.255.255.0
network-object 165.2.58.0 255.255.255.0
network-object 165.2.60.0 255.255.255.0
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source dynamic any interface
Additional Information:
Dynamic translate 10.154.246.115/80 to 59.201.39.98/114
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 636183438, packet dispatched to next module
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
----------------------------------------------------------------------------------------------------------
F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 10.56.40.127 23
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended deny ip any any
Additional Information:
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
-----------------------------------------------------------------------------------------
F47366-BLADE# packet-tracer input Inside tcp 10.154.246.115 80 10.80.70.241 ftp
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended deny ip any any
Additional Information:
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide