- Posts: 4
- Thank you received: 0
ASA 5510: Access-List Task
- Harry_Hard
- Topic Author
- Offline
- New Member
Less
More
9 years 7 months ago #38627
by Harry_Hard
ASA 5510: Access-List Task was created by Harry_Hard
Hi everyone.
I got a question regarding ASA 5510 Configuration.
I need to deny a group of hosts access to Fileshares (SMB).
I tried to block Ports 445 and 139 (TCP), but It didnt work.
The other task is a bit more hard I guess.
The same hostgroup needs to be allowed access to one specific site via 80/443 and all other access to internet sites must be denied.
I have no Idea how to solve that, so I hope you can help me
I got a question regarding ASA 5510 Configuration.
I need to deny a group of hosts access to Fileshares (SMB).
I tried to block Ports 445 and 139 (TCP), but It didnt work.
The other task is a bit more hard I guess.
The same hostgroup needs to be allowed access to one specific site via 80/443 and all other access to internet sites must be denied.
I have no Idea how to solve that, so I hope you can help me
9 years 7 months ago #38633
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic ASA 5510: Access-List Task
Harry,
you'll need to block the following ports/protocols in order to block SMB filesharing:
137/UDP
137/TCP
138/UDP
139/TCP
445/TCP
Let us know how it went.
Cheers,
you'll need to block the following ports/protocols in order to block SMB filesharing:
137/UDP
137/TCP
138/UDP
139/TCP
445/TCP
Let us know how it went.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
9 years 6 months ago - 9 years 6 months ago #38649
by kev972
Replied by kev972 on topic ASA 5510: Access-List Task
It is on IOS 8.4(2).
object-group network MyHostGrp
network-object host 192.168.1.100
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103
object-group service DenySvcGrp
service-object tcp destination eq 137
service-object tcp destination eq 139
service-object tcp destination eq 445
service-object udp destination eq 137
service-object udp destination eq 138
object-group service PermitSvcGrp
service-object tcp destination eq 80
service-object tcp destination eq 443
access-list outside extended deny object-group <Services in question> <Host to deny services> <to any dest>
access-list outside extended permit object-group PermitSvcGrp object MyHostGrp any
access-list outside extended deny object-group MySvcGrp object MyHostGrp any
access-list outside extended deny ip object-group MyHostGrp any
access-group outside in interface outside
Did not have time to test it.
Need to sleep. I hope it works, let me know :pinch:
object-group network MyHostGrp
network-object host 192.168.1.100
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103
object-group service DenySvcGrp
service-object tcp destination eq 137
service-object tcp destination eq 139
service-object tcp destination eq 445
service-object udp destination eq 137
service-object udp destination eq 138
object-group service PermitSvcGrp
service-object tcp destination eq 80
service-object tcp destination eq 443
access-list outside extended deny object-group <Services in question> <Host to deny services> <to any dest>
access-list outside extended permit object-group PermitSvcGrp object MyHostGrp any
access-list outside extended deny object-group MySvcGrp object MyHostGrp any
access-list outside extended deny ip object-group MyHostGrp any
access-group outside in interface outside
Did not have time to test it.
Need to sleep. I hope it works, let me know :pinch:
Last edit: 9 years 6 months ago by kev972.
Time to create page: 0.117 seconds