Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
3
Replies

Need to block Cpanel ports in ASA 5550 please

Go to solution
madonamadona
Level 1
Level 1

‎12-05-2016 06:43 AM - edited ‎03-12-2019 01:37 AM

Dear all,

I need to stop clients from accessing Cpanel ports outside our network.

The issue we have is that our home page is hosted by an external company and they use Cpanel to do that.

At the moment, our homepage is down because our outside IP-Address, which is our ASA firewall-outside IP) has been blocked by their system and according to them, some or a lot of our clients (we are an exhibition centre) tried to attack their system from inside our network (I don't believe this but I need to do what they asked me to do).

Now, we have over 200 internal Vlans, which are all in use and we need to stop clients from attacking their system, so we have to block cpanel ports in our firewall (they asked for port 2082 and 2095  to be blocked, so clients within our network ca't access their system.

I would need help to do this, just to make sure I am not doing anything wrong in our ASAs (we have 2, primary and fail-over).

I tried to do it by using ASDM but couldn't get the option to specify the direction (it should be from inside to outside).

Our ASAs have 8.2 FW and I would really prefer to use ASDM to configure this task (not CLI)

Many thanks in advance.

Madona

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mattjones03
Level 1
Level 1

‎12-05-2016 04:03 PM

Hi Madona,

I would suggest the following;

You will need to define this on your inside interface.

In ASDM;

Configuration > Firewall > Access Rules

The ACL you require to append to is named "inside".

You will need to add a new Access Control Entry (ACE) with your criteria mentioned;

Select whether the ACE is to permit or deny. In your instance, you require a "deny"

Source: The individual hosts or subnets within the 200 VLANs mentioned that require to be denied

Destination: The IP address, subnet or fully qualified domain name (FQDN) the CPanel servers you require to block.

Protocol: The TCP/UDP port or protocol suite you require to match.

In your instance, this will be; tcp/2082, tcp/2095

Finally, append some notes to the ACE to remind yourself and other firewall administrators the purpose of the ACE.

*Ensure the ACE is placed at the top of the "inside" ACL. Firstly this is  good practice to aid packet performance by ensuring the firewall  doesn't have to trailing through loads of ACE's before it finds a match, and lastly to ensure a higher permit ACL prevents your deny ACE being matched.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mattjones03
Level 1
Level 1

‎12-05-2016 04:03 PM

Hi Madona,

I would suggest the following;

You will need to define this on your inside interface.

In ASDM;

Configuration > Firewall > Access Rules

The ACL you require to append to is named "inside".

You will need to add a new Access Control Entry (ACE) with your criteria mentioned;

Select whether the ACE is to permit or deny. In your instance, you require a "deny"

Source: The individual hosts or subnets within the 200 VLANs mentioned that require to be denied

Destination: The IP address, subnet or fully qualified domain name (FQDN) the CPanel servers you require to block.

Protocol: The TCP/UDP port or protocol suite you require to match.

In your instance, this will be; tcp/2082, tcp/2095

Finally, append some notes to the ACE to remind yourself and other firewall administrators the purpose of the ACE.

*Ensure the ACE is placed at the top of the "inside" ACL. Firstly this is  good practice to aid packet performance by ensuring the firewall  doesn't have to trailing through loads of ACE's before it finds a match, and lastly to ensure a higher permit ACL prevents your deny ACE being matched.

0 Helpful

Go to solution
madonamadona
Level 1
Level 1
In response to mattjones03

‎12-06-2016 01:00 AM

Many thanks Mattjohns03 for that,excellent,  you are a star.

Madona

0 Helpful

Go to solution
mattjones03
Level 1
Level 1
In response to madonamadona

‎12-06-2016 02:28 AM

You are most welcome,

please mark the question as answered/resolved if this does resolve your request.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card