Rule for Allowing Computer Access Microsoft

par13 · ‎04-25-2012

I have a computer behind the ASA 5505 firewall. The computer needs to access Microsoft Activation Server. Reading some website information, I need to allow a huge list of servers that basically points to www and https traffic. Therefore, looking at this heavy requirements, I prefer to allow this computer to navigate to any https or http (www) server outside of the firewall. Below, I have included my current asa 5505 configuration. can you please tell me what needs to be added or so?

hostname ciscoasa

domain-name default.domain.invalid

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.2.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 170.18.18.132 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner motd

banner motd +......................-+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

boot system disk0:/asa724-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group network obj_any

object-group network microsoft-servers

network-object host 207.46.21.123

network-object host 4.26.252.126

network-object host 8.26.205.253

network-object host 8.27.149.126

network-object host 65.55.58.195

network-object host 94.245.126.107

network-object host 192.70.222.41

network-object host 192.70.222.59

network-object host 157.55.44.71

network-object host 118.108.3.84

network-object host 207.46.131.43

network-object host 207.46.19.190

network-object host 143.127.102.40

network-object host 72.14.204.101

network-object host 64.208.186.114

object-group network other_servers

network-object 118.108.62.236 255.255.255.255

access-list outside_access_in extended permit ip object-group psu-servers any

access-list outside_access_in extended permit tcp 10.2.1.0 255.255.255.0 any eq www

access-list outside_access_in extended permit tcp 10.2.1.0 255.255.255.0 any eq https

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit tcp any object-group epay_servers eq https

access-list inside_access_out extended permit ip any object-group psu-servers

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip audit name insidepolicy info action

ip audit name outsidepolicy info action

ip audit interface inside insidepolicy

ip audit interface outside outsidepolicy

ip audit info action

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 170.18.18.133 10.2.1.2 netmask 255.255.255.255

access-group inside_access_out in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 170.18.18.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 10.2.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.2.1.2 255.255.255.255 inside

ssh 170.18.18.132 255.255.255.255 outside

ssh timeout 30

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.2.1.2-10.2.1.254 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Julio Carvajal · ‎04-25-2012

Hello Par13,

Yo do not need to allow anything as you are already allowing everything from inside to oustide:

access-group inside_access_out in interface inside

access-list inside_access_out extended permit ip any any

That line allows everything that is innitiated from the inside interface of the ASA, the returning traffic that matches a connection already established from that inside host will be allowed by default ( Stateful inspection aplied by the ASA)

Hope this helps.

Regards,

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

par13 · ‎04-25-2012

Thanks for the fast reply. But, as it is now, the computer behind the firewall is not able to connect to www.microsoft.com or to get windows updates, and or to activate windows.

So, I think there is got to be something stopping from allowing this computer to connect to the internet.

Julio Carvajal · ‎04-25-2012

Hello,

Then you would need to make captures in order to see if the packets are reaching the ASA, if they are going to Microsoft and then if Microsoft replies back to the ASA.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC