Solved: Re: internet access restriction based on IP addresses. (ASA 5500

mukalazisnr · ‎10-21-2010

Dear Members,

One of my Clients just aquired a CISCO ASA firewall, and they would like to restrict internet access, that is they want to block internet for Junior employees while managemnet remains connected, Looking at the situation, The ASA serves as the gateway,

I tried an Access list like below for one pc to test if it works but instead everyone just went off, may be i misfired somehwere.

Access-list 110 deny tcp any host 192.168.20.100 eq www
Access-list 110 deny tcp any host 192.168.20.100 eq 443
Access-list 110 permit tcp any any eq www
Access-list 110 permit tcp any any eq 443
access-group 110 in interface inside

I will appreciate all your help, Thanks

Jennifer Halim · ‎10-21-2010

Well, now you don't have any access-list configured at all on your inside interface, and your outside ACL is permitting everything inbound.

You can definitely allow a few and block everything, but as advised earlier, there is an implicit "deny ip any any" once you configured an ACL, therefore, you would need to explicitly allow any traffic that you would like going outbound.

Assuming that you would like to allow only a few people web traffic, and block the rest web traffic, however, still allow outbound mail and dns request. Here is the example:

access-list inside-acl permit udp any any eq 53

access-list inside-acl permit tcp host any eq 25

access-list inside-acl permit tcp host any eq 80

access-list inside-acl permit tcp host any eq 443

The above ACL will allow the following:

1st line: outbound DNS request

2nd line: outbound mail from mail server

3rd line: outbound HTTP traffic from an ip address that is allowed HTTP access

4th line: outbound HTTPS traffic from an ip address that is allowed HTTPS access

Everything else will be denied going outbound.

View solution in original post

Jennifer Halim · ‎10-21-2010

The first 2 lines of the access-list should be as follows:

Access-list 110 deny tcp host 192.168.20.100 any eq www
Access-list 110 deny tcp host 192.168.20.100 any eq 443

However, based on the current access-list that you have configured, access to the internet should not be broken at all.

One possibility is you are using an external DNS server, and if this is correct, you would need to allow DNS request outbound as well.

access-list 110 permit udp any any eq 53

Furthermore, once you created an access-list, there will be an implicit deny at the end of the access-list, therefore, any other traffic needs to be explicitly permitted.

Example: if you have mail server internally, you would need to allow the SMTP/mail traffic outbound, otherwise, noone can send email out.

At the moment, base on the 4 lines of access-list (after modifying the first 2 lines as specified above), only web access (http and https) will be denied for 192.168.20.100, and everyone else will only have http and https access.

Hope that makes sense.

mukalazisnr · ‎10-21-2010

Ok i think am being silly,

you talked about SMTP but i had taken care of it but i surely was not figuring out a way of restricting internet. here is my running config as of now but with out the lines earlier shown.

now also the way the network was setup no proxies, now when you put it looks liek the number of people not allowed internet access is more than those are allowed and may be i will have to enter those ips one after the other since they are kind o scatterd,

so is there a way i will just block the rest then just punch in the few allowed to access ?

here is the config,

kla-fw-01# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname kla-fw-01
enable password 2vR3Gt8cWNRFPvqV encrypted
passwd 0LddFM.OYPWuzZaF encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.40.31 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 199.199.199.14 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list smtp extended permit ip any any
access-list all extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 199.199.199.0 255.255.255.0
static (inside,outside) tcp interface smtp 199.199.199.99 smtp netmask 255.255.2
55.255
static (inside,outside) tcp interface imap4 199.199.199.99 imap4 netmask 255.255
.255.255
static (inside,outside) tcp interface pop3 199.199.199.99 pop3 netmask 255.255.2
55.255
static (inside,outside) tcp interface https 199.199.199.99 https netmask 255.255
.255.255
static (inside,outside) tcp interface 995 199.199.199.99 995 netmask 255.255.255
.255
static (inside,outside) tcp interface 993 199.199.199.99 993 netmask 255.255.255
.255
static (inside,outside) tcp interface 465 199.199.199.99 465 netmask 255.255.255
.255
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.40.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 199.199.199.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:f3a3190192333c84ac6d946d2d16780f
: end
kla-fw-01#

Thanks once again

Jennifer Halim · ‎10-21-2010

Well, now you don't have any access-list configured at all on your inside interface, and your outside ACL is permitting everything inbound.

You can definitely allow a few and block everything, but as advised earlier, there is an implicit "deny ip any any" once you configured an ACL, therefore, you would need to explicitly allow any traffic that you would like going outbound.

Assuming that you would like to allow only a few people web traffic, and block the rest web traffic, however, still allow outbound mail and dns request. Here is the example:

access-list inside-acl permit udp any any eq 53

access-list inside-acl permit tcp host any eq 25

access-list inside-acl permit tcp host any eq 80

access-list inside-acl permit tcp host any eq 443

The above ACL will allow the following:

1st line: outbound DNS request

2nd line: outbound mail from mail server

3rd line: outbound HTTP traffic from an ip address that is allowed HTTP access

4th line: outbound HTTPS traffic from an ip address that is allowed HTTPS access

Everything else will be denied going outbound.

mukalazisnr · ‎11-02-2010

Thank you very much Halim,

It worked very well i did not have any issues, but then after that i realised that i can not ping outside any more, I use the oing normally to test the internet Connection for which I report to my ISP in case it drops. how do i enable that traffic,

and Secondly if i want to restrict again in the group of people allowed to access the internet is there a way i can limit some of them to just afew websites related to the work they do?

Otherwise am as happy as can be for your help, I dunno wati would have done without you

George

Jennifer Halim · ‎11-03-2010

To allow outbound ping, you can configure the following:

access-list inside-acl permit icmp any any

policy-map global_policy
class inspection_default
inspect icmp

There is a couple of methods that you can use to restrict a group of people to access only certains websites:

1) If you know the ip address of the websites, you can just configure access-list to only allow those users to access those ip addresses.

Example:

www.cisco.com ip address is 198.133.219.25

You can configure the following ACL to allow access to only cisco.com:

access-list inside-acl permit tcp host host 198.133.219.25 eq 80

You can configure the same for other websites that you know the ip address, and/or if there is only 1 ip address associated to the websites.

2) If there are multiple ip addresses associated to the websites, for example: google.com, then you can use regex (regular expression) to allow/disallow access. However, this method is slightly more complicated and is only supported from version 7.2 onwards.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Hope that helps.

mukalazisnr · ‎11-05-2010

thank you again Jenifer,

that fixed most of my issues i think the last one is the VPN i have a cisco Client VPN now when the user tries to connect he gets an error; reason 412: The remote peer is no longer responding, i have tried to add an access list to allow port 500, 510, and 62515 still no luck any help on this one?

George

Jennifer Halim · ‎11-05-2010

Is the VPN Client terminating on the same ASA, or on a different device?

If it's terminating on the ASA, you don't need to configure any access-list. From the configuration posted earlier, I don't see any VPN being configured. Can you share the configuration?

mukalazisnr · ‎11-05-2010

i sent you the config in a private email

George

mukalazisnr · ‎11-09-2010

Jenefer,

it has been resolved, i permited port 10000 for that particular pc then i went on the VPN client and did the same let it connect thru tcp/udp port 10000 that was it

Thank you so much for your support.

Jennifer Halim · ‎11-09-2010

Great to hear, George. Thanks for the update.

mukalazisnr · ‎11-09-2011

I hope ur doing well, You are familer with my infrastructre, Lately we acquired a Cisco Profile 42 Video Conferencing Equipment now i need to get into the firewall and create a NAT or static route of the sorts so that i can foward SIP and H232 to the VC I need your help on this.

internet access restriction based on IP addresses. (ASA 5500)