Inside interface outbound ACL applied but not blocking traffic

pattyj · ‎11-11-2010

I have the following ACL below applied to inside interface in the outbound direction but it is not blocking ports I want it to currently.

Not sure what I'm fundamentally missing in order to make this work. Can someone provide suggestions?

ASA5505 Ver 8.3(2)

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj-192.168.60.0
subnet 192.168.60.0 255.255.255.0

object network obj-192.168.61.0
subnet 192.168.61.0 255.255.255.0

object service Microsoft-DS
service tcp destination eq 445
description Microsoft-DS

object network obj_192.168.61.4
host 192.168.61.4
description Inside_Interface_IP

object-group service sslvpn-denied-protocols
description Deny SSLVPN user access to these services
service-object object Microsoft-DS
service-object tcp-udp destination eq cifs
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq imap4
service-object tcp destination eq netbios-ssn
service-object tcp destination eq pop2
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object udp destination eq nameserver
service-object udp destination eq netbios-dgm
service-object udp destination eq netbios-ns

nat (inside,any) source static obj-192.168.61.0 obj-192.168.61.0 destination static obj-192.168.60.0 obj-192.168.60.0
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_out out interface inside

access-list inside_access_out extended deny object-group sslvpn-denied-protocols object obj_any 192.168.61.0 255.255.255.0
access-list inside_access_out extended permit ip any 192.168.61.0 255.255.255.0

!
interface Vlan1
description Internal UD LAN
nameif inside
security-level 100
ip address 192.168.61.4 255.255.255.0

Thanks in advance.

Jon

Federico Coto Fajardo · ‎11-11-2010

Hi Jon,

I'm not very familiar with the ACL syntax in 8.3 yet but just a note:

access-list inside_access_out extended deny object-group sslvpn-denied-protocols object obj_any 192.168.61.0 255.255.255.0

Isn't the object-group that you want to deny for services specified as the source here?

I mean... normally it would be like this:

access-list inside_access_out extended deny object obj_any 192.168.61.0 255.255.255.0 object-group sslvpn-denied-protocols

So that the denied server are the destination ports (not the source ports).

I'm not sure on this one, but you can give it a try..

Federico.

Kureli Sankar · ‎11-11-2010

It appears that you need to change the source and destination on this ACL

access-list inside_access_out extended deny object-group sslvpn-denied-protocols 192.168.61.0 255.255.255.0 object obj_any

as this line below

nat (inside,any) source static obj-192.168.61.0 obj-192.168.61.0 destination static obj-192.168.60.0 obj-192.168.60.0

indicates that the n/w 192.168.61.0 lives on the inside.

-KS

pattyj · ‎11-11-2010

Hi,

I'm sorry I didn't specify context. The ASA is setup as an SSLVPN. I want to block traffic to certain ports like FTP, NetBIOS, SMTP on the 192.168.61.0/24 inside network for the SSL VPN clients.

SSL VPN User ---------Internet------ASA5505---Internal LAN--192.168.61.0/24

I want to block SSL VPN users from getting certain services on the LAN behind the ASA5505 so I thought I would deny these services as outbound on the Inside ASA interface.

Does that make more sense? Thanks for the replies. Jon

Federico Coto Fajardo · ‎11-11-2010

Jon,

I guess that makes sense yes, but the recommended way to block traffic inside a tunnel is by creating ACLs and applying them to the group-policy used by the clients.

You can configure them via ASDM or CLI under the group-policy with the command ''vpn-filter'' and associate the ACL.

Federico.