- Posts: 1
- Thank you received: 0
ASA ACL Exclusion
17 years 4 months ago #21312
by learnyee
ASA ACL Exclusion was created by learnyee
Dear all, I had an ASA with default ACL enable all LAN traffic flows through WAN.
Now I only want a list of the IP (servers), eg. 192.168.1.1-30 be able to access the WAN without any policy apply and at the same time the rest of the IP can only access specific service to the WAN.
How do I achieve that ?
Now I only want a list of the IP (servers), eg. 192.168.1.1-30 be able to access the WAN without any policy apply and at the same time the rest of the IP can only access specific service to the WAN.
How do I achieve that ?
17 years 4 months ago #21320
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: ASA ACL Exclusion
Create a normal access list to achive it. You can use object-groups to create the group of servers and then at the first line, create a rule allows full access to that group. Then if you need to change servers range, you can just modify the access-group.
e.g.
[code:1]object-group network MyServers
network-object host 192.168.1.1
network-object host 192.168.1.2
network-object host 192.168.1.3
network-object host 192.168.1.4
network-object host 192.168.1.5
etc..[/code:1]
This will create the object group. You could specify a network address to covery 192.168.1.1/27 however this will spill over to 192.168.1.31 & 192.168.1.32 but it would simplify the object group to just one line - network-object 192.168.1.0 255.255.255.224
The access list would like something like;
[code:1]
access-list Permit-Out extended permit ip object-group MyServers any
access-list Permit-Out extended permit tcp any any port 80
access-list Permit-Out extended permit tcp any any port 443
access-list Permit-Out extended permit udp any any port 53
[/code:1]
Only allowing web traffic above so you may need to tweak that to your needs.
Finally, you need to assign the access-list to the inside interface (since we are allowing the traffic outbound
[code:1]
access-group Permit-Out in interface inside[/code:1]
Hope it helps ya
Cheers
Wayne
e.g.
[code:1]object-group network MyServers
network-object host 192.168.1.1
network-object host 192.168.1.2
network-object host 192.168.1.3
network-object host 192.168.1.4
network-object host 192.168.1.5
etc..[/code:1]
This will create the object group. You could specify a network address to covery 192.168.1.1/27 however this will spill over to 192.168.1.31 & 192.168.1.32 but it would simplify the object group to just one line - network-object 192.168.1.0 255.255.255.224
The access list would like something like;
[code:1]
access-list Permit-Out extended permit ip object-group MyServers any
access-list Permit-Out extended permit tcp any any port 80
access-list Permit-Out extended permit tcp any any port 443
access-list Permit-Out extended permit udp any any port 53
[/code:1]
Only allowing web traffic above so you may need to tweak that to your needs.
Finally, you need to assign the access-list to the inside interface (since we are allowing the traffic outbound
[code:1]
access-group Permit-Out in interface inside[/code:1]
Hope it helps ya
Cheers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.112 seconds