Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1025
Views
0
Helpful
2
Replies

firewall lockdown

gavin han
Level 1
Level 1

‎01-12-2013 08:51 AM - edited ‎03-11-2019 05:46 PM

I've to lockdown the firewall by ip address and port.

i.e. I've to lock down the firewall from OUTSIDE to INSIDE based on ip address & port. we don't know what ports we need to lock down so we would have to do logging and than find out which desinate ip and port those source IP addresses communicate to.

what logging do we have to enable to get that level of detail?

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2013 08:58 AM

Hi,

If you have an ACL permitting some traffic from the OUTSIDE to INSIDE, all the rest of the traffic should already be blocked by the Implicit Deny at the end of every ACL (doesnt show in the CLI format of the configuration but shows on the ASDM side)

Is you OUTSIDE interface ACL very open at the moment?

Your logging level should be atleast "informational"

This would mean configurations like

logging on

logging device-id hostname

logging timestamp

logging trap informational

logging host

Which would

  • Enabled logging
  • Add your firewall "hostname" to the log messages sent
  • Add "timestamp" to your log messages
  • Send log messages up to "informational" level
    • which would log Connection/NAT forming and teardown and denied connections
  • Would specify a Syslog server behind with the IP address of

- Jouni

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Jouni Forss

‎01-12-2013 07:37 PM

Is this ASA or FWSM? If this is ASA then, high to low security traffic (inside to outside) is automatically allowed without an ACL applied on the inside interface. From outside to inside, you would have to allow what is needed via ACL.

If you have webservers behind the ASA then, you would have allow people on the internet to be able to access it and can't restrict it based on source IP addresses on the internet unless you know who you need to allow permission from the internet to access your web server.

As far as logging is concerned, pls. follow what Jouni has suggested.

Pls. join me on Tuesday.

https://supportforums.cisco.com/community/netpro/expert-corner#view=webcasts

Upcoming Live Webcast in English: January 15, 2013
Troubleshooting ASA and Firewall Service Modules

Register today for this Cisco Support Community live webcast.

-Kureli

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card