Solved: Hi Madona,

madonamadona · ‎12-05-2016

Dear all,

I need to stop clients from accessing Cpanel ports outside our network.

The issue we have is that our home page is hosted by an external company and they use Cpanel to do that.

At the moment, our homepage is down because our outside IP-Address, which is our ASA firewall-outside IP) has been blocked by their system and according to them, some or a lot of our clients (we are an exhibition centre) tried to attack their system from inside our network (I don't believe this but I need to do what they asked me to do).

Now, we have over 200 internal Vlans, which are all in use and we need to stop clients from attacking their system, so we have to block cpanel ports in our firewall (they asked for port 2082 and 2095 to be blocked, so clients within our network ca't access their system.

I would need help to do this, just to make sure I am not doing anything wrong in our ASAs (we have 2, primary and fail-over).

I tried to do it by using ASDM but couldn't get the option to specify the direction (it should be from inside to outside).

Our ASAs have 8.2 FW and I would really prefer to use ASDM to configure this task (not CLI)

Many thanks in advance.

Madona

mattjones03 · ‎12-05-2016

Hi Madona,

I would suggest the following;

You will need to define this on your inside interface.

In ASDM;

Configuration > Firewall > Access Rules

The ACL you require to append to is named "inside".

You will need to add a new Access Control Entry (ACE) with your criteria mentioned;

Select whether the ACE is to permit or deny. In your instance, you require a "deny"

Source: The individual hosts or subnets within the 200 VLANs mentioned that require to be denied

Destination: The IP address, subnet or fully qualified domain name (FQDN) the CPanel servers you require to block.

Protocol: The TCP/UDP port or protocol suite you require to match.

In your instance, this will be; tcp/2082, tcp/2095

Finally, append some notes to the ACE to remind yourself and other firewall administrators the purpose of the ACE.

*Ensure the ACE is placed at the top of the "inside" ACL. Firstly this is good practice to aid packet performance by ensuring the firewall doesn't have to trailing through loads of ACE's before it finds a match, and lastly to ensure a higher permit ACL prevents your deny ACE being matched.

View solution in original post

mattjones03 · ‎12-05-2016