10-08-2015 04:27 AM - edited 03-11-2019 11:43 PM
Hey Cisco Folks!
first, forgive me i'm a absolut ASA beginner ;) - Worked with Stonesoft and PFsense before.
Follow scenario:
Inside-Interface on a ASA-5585-X with latest OS has some ACL's defined to DMZ, other MPLS networks and so on.
Default Internet Access is solved by passing all 80/443 Traffic to a Squid Proxy (Not transparent)
Now i have the requirement to let traffic pass the Inside LAN in direction to Outside but only Skype.
I saw a lot options but no option was like a "Source Inside Destination Internet Service Any"
Is it really true that i have to setup this complicated?
-Inside-Interface-
Allow DMZ Stuff and so an
Deny Management Stuff (Hopefully don't forget some other stuff....)
Allow dest any service any
And let the Firepower Processor do the rest, e.g. let the Sourcefire detect Skype and allow it and rest deny?!
Why is there no possibility to let only traffic in direction to internet pass? With Stonesoft there was a auto generated "Not Local Protected" Object and on PFSense i can let traffic flow to a interface directly. Or do i miss understand all and there is a easy what to get this on a device (2 ASA Failover pairs) which costs >120k $
Really thanks for your input!
Wolfgang
10-08-2015 05:16 AM
Hi,
On ASA there are different ways by which you can achieve access control. You can use combinations of IP, Ports to permit/ deny traffic. With the addition of FirePOWER services you have more granular control over your traffic.
Now applications such as skype can hop ports and it difficult to block with just layer 3-4 information.
Here application identification of FirePOWER can help in identifying the application and then apply the action that you want to take.
On ASA you create Policy-maps to redirect traffic for inspection by services module (FirePOWER).
Based on your requirement you can create class-maps to filter traffic which should be sent for inspection by FirePOWER or not.
Hope it helps!!!
Thanks,
R.Seth
10-08-2015 05:26 AM
Hi,
thanks for your reply. Thats already done, the firepower is configured to let Skype traffic trough. But my question was, how can i accomplish to let only traffic flow to the internet interface but to no other interface. The "dest any service any" is the only way i can see from ASA side... which is ugly.
Thanks!
Wolfgang
10-08-2015 05:33 AM
The traffic flow on ASA is:
ACL on ingress interface>>> Policies on FirePOWER >>> Policies on egress interface.
Once the traffic is permitted by the FirePOWER device, the egress interface will be decided by the ASA based on route/static NAT.
So when you say "dest any service any" are you talking about ACL on egress interface?
Thanks,
R.Seth
10-08-2015 05:40 AM
Thats correct but did not answer my question ;)
How would you let traffic from Inside flow _only_ to Outside when you have a lot other interfaces (DMZ, Partner and so on) which have the same or higher security level and ACL's on it.
Or let me ask you the other way, why is a Interface Security Level obsolete as soon as there is a ACL on it? If i define dest any service any on a interface with lets say security level 50, this ACL allows to get higher up to level 100 interfaces.
10-08-2015 05:51 AM
So you can use combination of ACLs on ingress and egress interfaces to achieve the your requirement.
Say you want to control traffic from A (at security level50) to B(at security level100). By default lower to higher security level will be blocked but when you use ACL then it would take precedence.
Now to control traffic from A to B you can apply ACL in out direction on interface B.
Hope it helps!!!.
Thanks,
R.Seth
10-08-2015 05:56 AM
Understood. There is also no easier way to let traffic flow from inside to outside only... well thats a real pity :( Thanks for your time!
10-08-2015 05:58 AM
You can create an based on your security requirement and apply it on different interfaces, this would allow you to reuse same ACL.
Hope it helps!!
Thanks,
R.Seth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide