cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2128
Views
0
Helpful
14
Replies

Help config ASA5510

jerrybu01
Level 1
Level 1

I have a range ip: 192.168.172.1/24 and default staff can access full internet.

Range 1. Access full internet

ASA5510(config)# object network Full-internet-Access

ASA5510(config-network-object)# range 192.168.172.1 192.168.172.25

ASA5510(config-network-object)# nat (inside,outside) dynamic interface

ASA5510(config-network-object)# access-list inside_access_out permit ip object Full-internet-Access any


Range 2. Deny internet but allow mail, some webpages, https

ASA5510(config)# object network Deny-internet-Access

ASA5510(config-network-object)# range 192.168.172.26 192.168.172.254

ASA5510(config-network-object)# nat (inside,outside) dynamic interface

ASA5510(config-network-object)# access-list Inside_in deny ip object Deny-internet-Access any


ASA5510(config)#access-list inside_in permit tcp any any eq 25

ASA5510(config)#access-list inside_in permit tcp any any eq 110


ASA5510(config)#access-group access_out in interface inside


regex url1 "vnexpress\.net"

regex url2 "tuoitre\.net"

regex url3 “vdict\.com”

regex url4 “translate\.google\.com\.vn”


class-map type regex match-any URL

match regex url1

match regex url2

match regex url3

match regex url4


class-map type inspect http match-all

class3


match request header host regex class URL


access-list inside_in extended deny tcp object Deny-internet-Access any eq 80

access-list inside_in extended permit tcp any any eq 80


class-map

classhttp

match access-list inside_in


policy-map type inspect

po-http


parameters

class

class3

drop-connection log


policy-map global_policy

class

classhttp

inspect http

po-http



service-policy global_policy global

- Range ip 1: i can access full internet -->OK

- Range ip 2: i can't access internet (block all) --> i have a problem, do you show me how to config like my request?

14 Replies 14

julomban
Level 3
Level 3

Nguyen,

The problem with the range 2 is the order of the ACL's:

ASA5510(config)# access-list Inside_in deny ip object Deny-internet-Access any

ASA5510(config)#access-list inside_in permit tcp any any eq 25

ASA5510(config)#access-list inside_in permit tcp any any eq 110

The way to ASA process/check the ACL's is by order, if there is a deny first then all traffic is going to be denied.

The ACL's should look like this:

ASA5510(config)#access-list inside_in permit tcp any any eq 25

ASA5510(config)#access-list inside_in permit tcp any any eq 110

ASA5510(config)# access-list Inside_in deny ip object Deny-internet-Access any

With the above order all traffic on ports 25/110 will be allowed and everything else dropped.

Please let me know if that helps

Regards,

Juan Lombana

Please rate helpful posts.

   I configured but it's not running, the ASA cli i show above

ASA5510# show run                

: Saved      

:

ASA Version 8.3(1)                 

!

hostname ASA5510               

domain-name lohoi.local                      

enable password *******                   

passwd *************** encrypted                                

names    

!

interface Ethernet0/0                    

description C_M                         

nameif outside              

security-level 0                

ip address 10.0.0.2 255.255.255.248                                

!

interface Ethernet0/1                    

description C_R                               

nameif inside             

security-level 100                  

ip address 172.16.17.2 255.255.255.240                                      

!

interface Ethernet0/2                    

shutdown        

no nameif         

no security-level                 

no ip address             

!

interface Ethernet0/3                    

shutdown        

no nameif         

no security-level                 

no ip address             

!

interface Management0/0                      

description Management                      

nameif management                 

security-level 100                  

ip address 192.168.1.1 255.255.255.0                                    

!

regex url1 "vnexpress\.net"                          

regex url2 "flpvietnam\.com"                           

ftp mode passive               

clock timezone ICT 7                   

dns server-group DefaultDNS                          

domain-name lohoi.local                       

object network obj-any                     

subnet 0.0.0.0 0.0.0.0                      

object network ftpserver                       

host 192.168.100.90                  

description FTP server                      

object network remote_desktop                            

host 192.168.100.111                 

object network remote_vnc                        

host 192.168.100.100                  

object network FullAccess                        

range 192.168.100.1 192.168.100.25                                  

object network DenyAccess                        

range 192.168.100.26 192.168.100.254                                    

access-list 101 extended permit icmp any any                                           

access-list 101 extended permit icmp any any echo-reply                                                      

access-list 101 extended permit tcp any any                                          

access-list outside_access_in extended permit tcp any object ftpserver eq ftp                                                                            

access-list outside_access_in extended permit tcp any host 192.168.100.111 eq 3389                                                                               

access-list outside_access_in extended permit tcp any host 192.168.100.100 eq 5900                                                                               

access-list inside_access_out extended permit ip object FullAccess any                                                                     

access-list inside_in extended permit tcp any any eq smtp                                                        

access-list inside_in extended permit tcp any any eq pop3                                                        

access-list inside_in extended deny ip object DenyAccess any                                                           

access-list inside_in extended deny tcp object DenyAccess any eq www                                                                   

access-list inside_in extended permit tcp any any eq www                                                       

pager lines 24             

logging enable             

logging asdm informational                         

mtu outside 1500               

mtu inside 1500              

mtu management 1500                  

icmp unreachable rate-limit 1 burst-size 1                                         

asdm image disk0:/asdm-631.bin                             

asdm history enable                  

arp timeout           

!

object network obj-any                     

nat (inside,outside) dynamic interface                                      

object network ftpserver                       

nat (inside,outside) static interface service tcp ftp ftp                                                         

object network remote_desktop                            

nat (inside,outside) static interface service tcp 3389 3389                                                           

object network remote_vnc                        

nat (inside,outside) static interface service tcp 5900 5900                                                           

object network FullAccess                        

nat (inside,outside) dynamic interface                                      

object network DenyAccess                        

nat (inside,outside) dynamic interface                                      

access-group outside_access_in in interface outside                                                  

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1                                       

route inside 192.168.88.160 255.255.255.224 172.16.17.1 1                                                       

route inside 192.168.100.0 255.255.255.0 172.16.17.1 1                                                     

timeout xlate 3:00:00                    

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           

timeout tcp-proxy-reassembly 0:01:00                                   

dynamic-access-policy-record DfltAccessPolicy                                            

aaa authentication ssh console LOCAL                                   

http server enable                 

http 192.168.1.0 255.255.255.0 management                                        

http authentication-certificate inside                                     

http authentication-certificate management                                         

no snmp-server location                      

no snmp-server contact                     

snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     

crypto ipsec security-association lifetime seconds 28800                                                       

crypto ipsec security-association lifetime kilobytes 4608000                                                           

telnet timeout 5               

ssh 192.168.100.0 255.255.255.0 inside                                     

ssh timeout 5            

console timeout 0                

threat-detection basic-threat                            

threat-detection statistics host                               

threat-detection statistics port                               

threat-detection statistics protocol                                   

threat-detection statistics access-list                                      

no threat-detection statistics tcp-intercept                                           

webvpn     

username admin password ******************* encrypted privilege 15                                                              

!

class-map type regex match-any URL                                 

match regex url1                

match regex url2                

class-map type inspect http match-all class3                                           

match request header host regex class URL                                         

class-map inspection_default                           

match default-inspection-traffic                                

class-map classhttp                  

match access-list inside_in                           

!

!

policy-map type inspect dns preset_dns_map                                         

parameters          

  message-length maximum client auto                                   

  message-length maximum 512                           

policy-map global_policy                       

class inspection_default                        

  inspect dns preset_dns_map                           

  inspect ftp            

  inspect h323 h225                  

  inspect h323 ras                 

  inspect rsh            

  inspect rtsp             

  inspect esmtp              

  inspect sqlnet               

  inspect skinny               

  inspect sunrpc               

  inspect xdmcp              

  inspect sip            

  inspect netbios                

  inspect tftp             

  inspect ip-options                   

class classhttp               

policy-map type inspect http po-http                                   

parameters

class class3

  drop-connection log

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:9840729fa36cada0607c53d61352fa25

: end

ASA5510#

I configred as Julomban but it doesn't work when i completed configuration and i check. It means it still access internet with any ip address

jerrybu01
Level 1
Level 1

I want to config like my request but i can't. Who can help me?

I configured but it doesn't work

ASA5510(config)# object network FullAccess

ASA5510(config-network-object)# range 192.168.172.1 192.168.172.25

ASA5510(config-network-object)# nat (inside,outside) dynamic interface

ASA5510(config-network-object)# access-list inside_access_out permit ip object FullAccess any

ASA5510(config)# object network DenyAccess

ASA5510(config-network-object)# range 192.168.172.26 192.168.172.254

ASA5510(config-network-object)# nat (inside,outside) dynamic interface

ASA5510(config-network-object)# access-list inside_in permit tcp any any eq 25

ASA5510(config)# access-list inside_in permit tcp any any eq 110

ASA5510(config)# access-list inside_in deny ip object DenyAccess any

ASA5510(config)# regex url1 "vn\.net"

ASA5510(config)# regex url2 "cisco\.com"

ASA5510(config)# class-map type regex match-any URL

ASA5510(config-cmap)# match regex url1

ASA5510(config-cmap)# match regex url2

ASA5510(config)# class-map type inspect http match-all class3

ASA5510(config-cmap)# match request header host regex class URL

ASA5510(config-cmap)# access-list inside_in extended deny tcp object DenyAcces any

ASA5510(config)# access-list inside_in extended permit tcp any any eq 80

ASA5510(config)# class-map classhttp

ASA5510(config-cmap)# match access-list inside_in

ASA5510(config-cmap)# policy-map type inspect http po-http

ASA5510(config-pmap)# parameters

ASA5510(config-pmap-p)# class class3

ASA5510(config-pmap-c)# drop-connection log

ASA5510(config-pmap-c)# policy-map global_policy

ASA5510(config-pmap)# class classhttp

ASA5510(config-pmap-c)# service-policy global_policy global

WARNING: Policy map global_policy is already configured as a service policy

ASA5510(config)#

jocamare
Level 4
Level 4

Make it look like this:

object network Full-internet-Access

range 192.168.172.1 192.168.172.25

nat (inside,outside) dynamic interface

object network Deny-internet-Access

range 192.168.172.26 192.168.172.254

nat (inside,outside) dynamic interface

access-list inside_in permit tcp any any eq 25

access-list inside_in permit tcp any any eq 110

access-list inside_in permit tcp any any eq 80

access-list Inside_in permit ip object Full-internet-Access any

access-list Inside_in deny ip object Deny-internet-Access any [optional]

access-group inside_in in interface inside

regex url1 "vnexpress\.net"

regex url2 "tuoitre\.net"

regex url3 “vdict\.com”

regex url4 “translate\.google\.com\.vn”

class-map type inspect http match-any block-url-class 

match request header host regex url1

match request header host regex url2

match request header host regex url3

match request header host regex url4

policy-map type inspect http block-url-policy 

parameters 

  class block-url-class  

   drop-connection log

policy-map global_policy 

class inspection_default  

inspect http block-url-policy

Note: this doesn't work for HTTPS traffic.

First, Thank you jocamare!

So If i want to configure for HTTPS traffic, what can i do?

Hi jocamare,

I configured like above but the asa blocked all traffic ip address 192.168.172.0/24

my request:

range 1: 192.168.172.1 to 192.168.172.25 allow full internet

range 2: 192.168.172.26 to 192.168.172.254 deny internet but allow some webpages, email, https

Provide the config.

The requests should be fulfilled now.

The only "tricky" part will be to configure regex.

I configured the asa like:

ASA5510# show run                

: Saved      

:

ASA Version 8.3(1)                 

!

hostname ASA5510               

domain-name lhoi.local                      

enable password ************************* encrypted                                         

passwd ***************** encrypted                                

names    

!

interface Ethernet0/0                    

description Connect_to_Modem                            

nameif outside              

security-level 0                

ip address 10.0.0.2 255.255.255.0                                 

!

interface Ethernet0/1                    

description Connect_to_Router                                

nameif inside             

security-level 100                  

ip address 172.16.17.2 255.255.255.240                                      

!

interface Ethernet0/2                    

shutdown        

no nameif         

no security-level                 

no ip address             

!

interface Ether             

shutdown        

no nameif         

no security-level                 

no ip address             

!

interface Management0/0                      

description Management                      

nameif management                 

security-level 100                  

ip address 192.168.1.1 255.255.255.0                                    

!

ftp mode passive               

clock timezone ICT 7                   

dns server-group DefaultDNS                          

domain-name lohoi.local                       

object network obj-any                     

subnet 0.0.0.0 0.0.0.0                      

object network ftpserver                       

host 192.168.172.90                  

description FTP server                      

object network remote_desktop                            

host 192.168.172.4                  

object network remote_vnc                        

host 192.168.172.2                  

access-list 101 extended permit icmp                                    

access-list 101 extended permit icmp any any echo-reply                                                      

access-list 101 extended permit tcp any any                                          

access-list outside_access_in extended permit tcp any object ftpserver eq ftp                                                                            

access-list outside_access_in extended permit tcp any host 192.168.172.4 eq 3389                                                            

access-list outside_access_in extended permit tcp any host 192.168.172.2 eq 5900                                                                         

pager lines 24             

logging enable             

logging asdm informational                         

mtu outside 1500               

mtu inside 1500              

mtu management 1500                  

icmp unreachable rate-limit 1 burst-size 1                                         

asdm image disk0:/asdm-6                      

asdm history enable                  

arp timeout 14400                

!

object network obj-any                     

nat (inside,outside) dynamic interface                                      

object network ftpserver                       

nat (inside,outside) static interface service tcp ftp ftp                                                         

object network remote_desktop                            

nat (inside,outside) static interface service tcp 3389 3389                                                           

object network remote_vnc                        

nat (inside,outside) static interface service tcp 5900 5900                                                           

access-group outside_access_in in interface outside                                                  

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1                                                                                               

route inside 192.168.172.0 255.255.255.0 172.16.17.1 1                                                     

timeout xlate 3:00:00                    

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           

timeout tcp-proxy-reassembly 0:01:00                                   

dynamic-access-policy-record DfltAccessPolicy                                            

aaa authentication ssh console LOCAL                                   

http server enable                 

http 192.168.1.0 255.255.255.0 management                                        

http authentication-certificate inside                                     

http authentication-certificate management                                         

no snmp-server location                      

no snmp-server contact                     

snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     

crypto ipsec security-association lifetime seconds 28800                                                       

crypto ipsec security-association lifetime kilobytes 4608000                                                           

telnet timeout 5               

ssh 192.168.100.0 255.255.255.0 inside                                     

ssh timeout 5            

console timeout 0                

threat-detection basic-threat                            

threat-detection statistics host                               

threat-detection statistics port                               

threat-detection statistics protocol                                   

threat-detection statistics access-list                                      

no threat-detection statistics tcp-intercept                                           

webvpn     

username admin password ******************** encrypted privilege 15                                                              

!

class-map inspection_default                           

match default-inspection-traffic                                

!

!

policy-map type inspect dns preset_dns_map                                         

parameters          

  message-length maximum client auto                                   

  message-length maximum 512                           

policy-map global_policy                       

class inspection_default                        

  inspect dns preset_dns_map                           

  inspect ftp            

  inspect h3         

  inspect h323 ras                 

  inspect rsh            

  inspect rtsp             

  inspect esmtp              

  inspect sqlnet               

  inspect skinny               

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d7c6f9217fa2d00bd82c3d3db72bd691

: end

ASA5510#

After that i configured more allow the request:

object network FullAccess

range 192.168.172.1 192.168.172.25

nat (inside,outside) dynamic interface

object network DenyAccess

range 192.168.172.26 192.168.172.254

nat (inside,outside) dynamic interface

access-list inside_in permit tcp any any eq 25

access-list inside_in permit tcp any any eq 110

access-list inside_in permit tcp any any eq 80

access-list Inside_in permit ip object FullAccess any

access-list Inside_in deny ip object DenyAccess any

access-group inside_in in interface inside

regex url1 “vdict\.com”

regex url2 “translate\.google\.com\.vn”

regex url3 "lienhoagroup\.com"

regex url4 "forevergreenresort\.com"

class-map type inspect http match-any block-url-class

match request header host regex url1

match request header host regex url2

match request header host regex url3

match request header host regex url4

policy-map type inspect http block-url-policy

parameters

  class block-url-class 

   drop-connection log

policy-map global_policy

class inspection_default 

inspect http block-url-policy

--> After i configured completely, all my traffic blocked to access internet, i think it wrongs a few points? i don't know how to complete? help me!

Make sure to allow DNS traffic out in the Access-list.

access-list inside_in permit tcp any any eq 25

access-list inside_in permit tcp any any eq 110

access-list inside_in permit tcp any any eq 80

access-list inside_in permit tcp any any eq 53

access-list inside_in permit udp any any eq 53

access-list Inside_in permit ip object FullAccess any

access-list Inside_in deny ip object DenyAccess any

the internet allows all traffic when i configured as above.

I think:

Use the access-list traffic classification in this context is not the idea that policy setting. Should you permit that I want affected traffic classification (ie banned some sites). ? or ASA 5510 you can't configured like that?

Final tweak, make it look like this:

regex url1 “\vdict\.com”

regex url2 “\translate\.google\.com\.vn”

regex url3 "\lienhoagroup\.com"

regex url4 "\forevergreenresort\.com"

Just modify this, leave the rest as it is.

I can't solve my problem, i think we can configure to use web filtering.

But if to block the page, you have to know its ip (wan ip),it is very difficult when the page have a lot of ip public.

I want to block domain name?can i configure it? i am using asdm 6.3 for ASA

Review Cisco Networking for a $25 gift card