cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
448
Views
0
Helpful
4
Replies

Inside interface outbound ACL applied but not blocking traffic

pattyj
Beginner
Beginner

I have the following ACL below applied to inside interface in the outbound direction but it is not blocking ports I want it to currently.

Not sure what I'm fundamentally missing in order to make this work.  Can someone provide suggestions?

ASA5505 Ver 8.3(2)


object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj-192.168.60.0
subnet 192.168.60.0 255.255.255.0

object network obj-192.168.61.0
subnet 192.168.61.0 255.255.255.0

object service Microsoft-DS
service tcp destination eq 445
description Microsoft-DS

object network obj_192.168.61.4
host 192.168.61.4
description Inside_Interface_IP

object-group service sslvpn-denied-protocols
description Deny SSLVPN user access to these services
service-object object Microsoft-DS
service-object tcp-udp destination eq cifs
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq imap4
service-object tcp destination eq netbios-ssn
service-object tcp destination eq pop2
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object udp destination eq nameserver
service-object udp destination eq netbios-dgm
service-object udp destination eq netbios-ns


nat (inside,any) source static obj-192.168.61.0 obj-192.168.61.0 destination static obj-192.168.60.0 obj-192.168.60.0
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_out out interface inside

access-list inside_access_out extended deny object-group sslvpn-denied-protocols object obj_any 192.168.61.0 255.255.255.0
access-list inside_access_out extended permit ip any 192.168.61.0 255.255.255.0

!
interface Vlan1
description Internal UD LAN
nameif inside
security-level 100
ip address 192.168.61.4 255.255.255.0

Thanks in advance.

Jon

4 REPLIES 4

Hi Jon,

I'm not very familiar with the ACL syntax in 8.3 yet but just a note:

access-list inside_access_out extended deny object-group sslvpn-denied-protocols object obj_any 192.168.61.0 255.255.255.0

Isn't the object-group that you want to deny for services specified as the source here?

I mean... normally it would be like this:

access-list inside_access_out extended deny  object obj_any 192.168.61.0 255.255.255.0 object-group sslvpn-denied-protocols

So that the denied server are the destination ports (not the source ports).

I'm not sure on this one, but you can give it a try..

Federico.

It appears that you need to change the source and destination on this ACL

access-list inside_access_out extended deny object-group sslvpn-denied-protocols  192.168.61.0 255.255.255.0 object obj_any

as this line below

nat (inside,any) source static obj-192.168.61.0 obj-192.168.61.0 destination static obj-192.168.60.0 obj-192.168.60.0

indicates that the n/w 192.168.61.0 lives on the inside.

-KS

Hi,

I'm sorry I didn't specify context.  The ASA is setup as an SSLVPN.  I want to block traffic to certain ports like FTP, NetBIOS, SMTP on the 192.168.61.0/24 inside network for the SSL VPN clients.

SSL VPN User ---------Internet------ASA5505---Internal LAN--192.168.61.0/24

I want to block SSL VPN users from getting certain services on the LAN behind the ASA5505 so I thought I would deny these services as outbound on the Inside ASA interface.

Does that make more sense?  Thanks for the replies.  Jon

Jon,

I guess that makes sense yes, but the recommended way to block traffic inside a tunnel is by creating ACLs and applying them to the group-policy used by the clients.

You can configure them via ASDM or CLI under the group-policy with the command ''vpn-filter'' and associate the ACL.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: