cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2774
Views
10
Helpful
9
Replies

Block all internet access to an IP except for one specified website/ webapp using ASDM

FK10
Level 1
Level 1

Hello,

 

I am currently using a Cisco 5506-X as a firewall for my system. One port is configured as the "outside" and is ethernet cable plugging into the firewall from a WIFI router (security level 0). The "inside" is the rest of the system (security level 100) and I have restricted access to it from the "outside." 

 

However, I would like to restrict internet access to the "inside" IP and only allow it to use the teamviewer website or web app.

How would I do this using ASDM or the command prompt?

9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

We do not have enough information about your environment and your issue to be able to give good advice. With the ASA an important aspect is where does the traffic originate from. The default policy of the ASA is that any traffic originated from a higher level source (inside level is 100)  to a lower level destination (outside is 0) is permitted - and any response to that is permitted. The default policy is that any traffic originated from a lower level source (outside if level 0) to a higher level destination (inside is 100) is denied.

 

You tell us that "I have restricted access to it from the "outside." ". It is not clear whether you have added to the default policy. Can you clarify what you have done?

 

And it is not clear what you want the policy to be about team viewer. Is it that a device inside needs to access team viewer (should be permitted by default) or is it that you want team viewer to access some device inside (would require a static nat and an access policy change). Can you provide clarification?

 

HTH

Rick

Hello Richard,

 

Thank you for the response. Let me see if I can explain better, sorry I am very new to this.

 

On port 1 of the firewall I have an outside network plugging in to provide internet over an ethernet connection. This is the one I designated as the outside and has a security level of 0.

 

On port 2 of the firewall I have an ethernet cable running to our cisco 4010 ethernet switch. This is our inside network with a security level of 100.

 

What I want to do for anything connected to the cisco 4010 ethernet switch is block them from accessing the internet, with the only website/ web app being TeamViewer so that we can remote into the hardware connected to the cisco 4010 ethernet switch. So basically I want to whitelist TeamViewer and blacklist all other websites. I know how to block individual sites but it would take forever to block every website that exists. Is there any way to create a whitelist that only allows access to TeamViewer?

Hello,

 

on the older (pre 8.3) ASAs, you could do URL filtering with regular expressions, not sure if that still works in the newer versions. It would look something like this:

 

regex allow_team_viewer "teamviewer\.com"
!
class-map type inspect http match-all allow-url-teamviewer-class
match not request header host regex allow_team_viewer
!
policy-map type inspect http allow-url-teamviewer-policy
parameters
class allow-url-teamviewer-class
drop-connection log
policy-map global_policy
class inspection_default
inspect http allow-url-teamviewer-policy
!
service-policy global_policy global

I appreciate your attempt to clarify the issue. I think I am clear that in general you do not want any device on the inside network to initiate traffic to any Internet destination. I am still not clear about traffic for Team Viewer. Is it that you want a device on the inside network to initiate traffic to Team Viewer, or is it that you want Team Viewer to initiate traffic to a device on the inside network?

 

If you want a device on the inside network to initiate traffic to Team Viewer then the suggestions from Georg about an access list would seem to be what you want (assuming correct identification of protocol port number and web site address). If you want Team Viewer to intiate traffic to an inside device I believe this will be problematic. One of the things required for an outside device to initiate traffic to an inside device is some static address translation. That could be pretty simple if we could specify an inside address as the target. But if we can not specify the inside address (could be any host on the inside) then I do not know how it could work.

HTH

Rick

Hello Richard,

 

Let's say I want to have Team Viewer initiate traffic to a device on the inside network and we need to do some static address translation. The devices on the inside are two computers. Would I just need to list the two computer IP addresses for the static address translation? Is there anything else to it?

 

Thanks

Hello Georg,

 

Would this work with an ASA 5506-X?

Georg said "on the older (pre 8.3) ASAs, you could do URL filtering with regular expressions, not sure if that still works in the newer versions." Certainly the 5506X does not run that older code. So it is not clear whether a 5506X could do this. 

 

If you want Team Viewer to initiate traffic to a single host inside it would be easier. In that case you could configure something referred to as port forwarding. Using this any traffic sent to the ASA outside interface using the protocol ports associated with Team Viewer could be forwarded to that host. Initiating traffic to 2 hosts is less simple. I have limited knowledge about Team Viewer and do not know if Team Viewer is able to specify a different protocol port for its traffic. If it does this then a possible solution would be to use port forwarding for the normal port to host A inside and have Team Viewer specify different ports for host B and use port forwarding to get that traffic to host B. Or if your ASA has a second Public IP address from your provider then Team Viewer could send traffic for host A to the normal Public IP on the ASA and send traffic for host B to the secondary Public IP.

HTH

Rick

Hello,

 

I just tested this on a 9.6 version, and it does work...

Hello,

 

I agree with Richard that it is not really clear what you have currently configured on the ASA, so if you can post the current running config, that would be very useful.

 

An access list on the ASA that would allow access to the TeamViewer website (which typically uses UDP/TCP port 5938) would look like this:

 

access-list ALLOW_TEAMVIEWER permit tcp inside_ip_adress teamviewer_website_ip_address eq 5938
access-list ALLOW_TEAMVIEWER permit udp inside_ip_adress teamviewer_website_ip_address eq 5938

Review Cisco Networking for a $25 gift card