I have the following ACL below applied to inside interface in the outbound direction but it is not blocking ports I want it to currently.
Not sure what I'm fundamentally missing in order to make this work. Can someone provide suggestions?
ASA5505 Ver 8.3(2)
object network obj_any subnet 0.0.0.0 0.0.0.0
object network obj-192.168.60.0 subnet 192.168.60.0 255.255.255.0
object network obj-192.168.61.0 subnet 192.168.61.0 255.255.255.0
object service Microsoft-DS service tcp destination eq 445 description Microsoft-DS
object network obj_192.168.61.4 host 192.168.61.4 description Inside_Interface_IP
object-group service sslvpn-denied-protocols description Deny SSLVPN user access to these services service-object object Microsoft-DS service-object tcp-udp destination eq cifs service-object tcp destination eq ftp service-object tcp destination eq ftp-data service-object tcp destination eq imap4 service-object tcp destination eq netbios-ssn service-object tcp destination eq pop2 service-object tcp destination eq pop3 service-object tcp destination eq smtp service-object udp destination eq nameserver service-object udp destination eq netbios-dgm service-object udp destination eq netbios-ns
nat (inside,any) source static obj-192.168.61.0 obj-192.168.61.0 destination static obj-192.168.60.0 obj-192.168.60.0!object network obj_any nat (inside,outside) dynamic interfaceaccess-group inside_access_out out interface inside
access-list inside_access_out extended deny object-group sslvpn-denied-protocols object obj_any 192.168.61.0 255.255.255.0 access-list inside_access_out extended permit ip any 192.168.61.0 255.255.255.0
!interface Vlan1 description Internal UD LAN nameif inside security-level 100 ip address 192.168.61.4 255.255.255.0
Thanks in advance.
I'm not very familiar with the ACL syntax in 8.3 yet but just a note:
access-list inside_access_out extended deny object-group sslvpn-denied-protocols object obj_any 192.168.61.0 255.255.255.0
Isn't the object-group that you want to deny for services specified as the source here?
I mean... normally it would be like this:
access-list inside_access_out extended deny object obj_any 192.168.61.0 255.255.255.0 object-group sslvpn-denied-protocols
So that the denied server are the destination ports (not the source ports).
I'm not sure on this one, but you can give it a try..
It appears that you need to change the source and destination on this ACL
access-list inside_access_out extended deny object-group sslvpn-denied-protocols 192.168.61.0 255.255.255.0 object obj_any
as this line below
nat (inside,any) source static obj-192.168.61.0 obj-192.168.61.0 destination static obj-192.168.60.0 obj-192.168.60.0
indicates that the n/w 192.168.61.0 lives on the inside.
I'm sorry I didn't specify context. The ASA is setup as an SSLVPN. I want to block traffic to certain ports like FTP, NetBIOS, SMTP on the 192.168.61.0/24 inside network for the SSL VPN clients.
SSL VPN User ---------Internet------ASA5505---Internal LAN--192.168.61.0/24
I want to block SSL VPN users from getting certain services on the LAN behind the ASA5505 so I thought I would deny these services as outbound on the Inside ASA interface.
Does that make more sense? Thanks for the replies. Jon
I guess that makes sense yes, but the recommended way to block traffic inside a tunnel is by creating ACLs and applying them to the group-policy used by the clients.
You can configure them via ASDM or CLI under the group-policy with the command ''vpn-filter'' and associate the ACL.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: