Skip to main content

ASA 5510: Access-List Task

More
9 years 7 months ago #38627 by Harry_Hard
Hi everyone.

I got a question regarding ASA 5510 Configuration.

I need to deny a group of hosts access to Fileshares (SMB).
I tried to block Ports 445 and 139 (TCP), but It didnt work.

The other task is a bit more hard I guess.
The same hostgroup needs to be allowed access to one specific site via 80/443 and all other access to internet sites must be denied.

I have no Idea how to solve that, so I hope you can help me :-)
More
9 years 7 months ago #38633 by Chris
Replied by Chris on topic ASA 5510: Access-List Task
Harry,

you'll need to block the following ports/protocols in order to block SMB filesharing:

137/UDP
137/TCP
138/UDP
139/TCP
445/TCP

Let us know how it went.

Cheers,

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
More
9 years 6 months ago - 9 years 6 months ago #38649 by kev972
Replied by kev972 on topic ASA 5510: Access-List Task
It is on IOS 8.4(2).

object-group network MyHostGrp
network-object host 192.168.1.100
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103

object-group service DenySvcGrp
service-object tcp destination eq 137
service-object tcp destination eq 139
service-object tcp destination eq 445
service-object udp destination eq 137
service-object udp destination eq 138

object-group service PermitSvcGrp
service-object tcp destination eq 80
service-object tcp destination eq 443


access-list outside extended deny object-group <Services in question> <Host to deny services> <to any dest>


access-list outside extended permit object-group PermitSvcGrp object MyHostGrp any
access-list outside extended deny object-group MySvcGrp object MyHostGrp any
access-list outside extended deny ip object-group MyHostGrp any

access-group outside in interface outside


Did not have time to test it.
Need to sleep. I hope it works, let me know :pinch:
Last edit: 9 years 6 months ago by kev972.
Time to create page: 0.117 seconds