10-11-2017 01:46 AM - edited 02-21-2020 06:28 AM
Hello, I have recently deployed a Cisco ASA 5506-X With FirePOWER Services. I am using the unified Image Firepower Threat Defence (FTD), and I am managing the Firewall with the web-based on-box management solution "Firepower Device Manager" from a machine on the local network. The setup is very basic, and it looks like this:
Everything seems to be working fine, I am using NAT and some port forwarding rules for services on the inside, but I noticed that it is possible to access the outside address (public addres obatined from my ISP) from everywhere. For example, it is possible to ping it, or acces through port 80 from anywhere on the internet.
My question is: How do I block access from the outside towards my outside interface? I have tried with Policies-> Access Control with the default action of block, but it still does not block the traffic.
I have not yet found the more traditional access-lists. There must be a way to accomplish this, and google gave me no luck.
Thanks for any thoughts.
10-11-2017 03:28 AM
according to this document there is a separate FTD policy to configure on which interface an from wich subnets FTD can be accessed
There are 6 steps to configure HTTPS access.
Step 1. Navigate to Devices > Platform Settings
Step 2. Either edit the platform settings policy which exists as you click the pencil icon beside the policy or create a new FTD policy as you click New Policy. Select the type as Firepower Threat Defense.
Step 3. As you navigate to the HTTP section, a page appears as shown in the image.
Enable HTTP server: Enable this option to make to enable HTTP server on the FTD.
Port: Select the port on which the FTD accepts management connections.
hope this helps
10-11-2017 03:35 AM
10-11-2017 06:20 AM
I checked my FTD virtual device and it does not reply to ping (icmp echo request) or port 80.
Do you possibly have any NAT rules or access-lists that would make any servers reachable from the outside using the interface address? If so you might be seeing a result of that.
10-12-2017 01:30 AM
Thanks for the reply.
It seems like if I change the default action to "Deny" under Policies -> Access Control, then it kind of blocks port 80, but not totally. Port checker tools says the port is closed, but for me it seems more like it accepts the connection, but since no service is running, it becomes a timeout.
But the log says the following for the port 80 traffic:
AccessControlRuleName: Default Action
AccessControlRuleAction: Block
Also, my port forwarding rules does not seem to be working.
However, it still replyes to ping from the internet. What version are you on?
Here is my information:
Model Cisco ASA5506-X
Threat Defense Software 6.2.0-363
10-12-2017 01:44 AM
I am running FTD 6.2.2. That's the most recent and recommended release level.
04-15-2020 02:57 AM
Would you mind sharing your configs SSL Decryption, Security Intelligence, NAT, Access Policies just to have an insight I have configured it correctly
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide