Announcement

Collapse
No announcement yet.

ASA 5505 - lets ALL outbound traffic out?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5505 - lets ALL outbound traffic out?

    Hey gang,

    I got an ASA 5505 and defined outgoing rules so that only http/https and smtp/pop3 access were allowed out. The install went smooth (I just followed the wizard), but RIGHT as I was leaving I noticed that ALL outbound traffic was allowed!

    I literally had to leave RIGHT THEN, but the last thing I noticed was an implicit rules in my rules list saying that all traffic to a less secure network was allowed. I could not edit or delete this rule, so I left quite frustrated. I do not see this "allow all outbound traffic" rule anywhere in my exported config.

    The firewall appears to be blocking inbound traffic fine, but can someone help me narrow down why outbound traffic is wide open?

    Thanks,
    Brian

  • #2
    Re: ASA 5505 - lets ALL outbound traffic out?

    Can you post a config?
    MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

    Comment


    • #3
      Re: ASA 5505 - lets ALL outbound traffic out?

      If there is a way out then traffic from more secure to less secure is allowed by default. If you assign an acl inbound on the inside interface then it will take precedence over this though. If you still have all traffic allowed then it would be not binding the acl to the interface or having it going the wrong way (out not in for example). If you only allowed http/https and smtp/pop then you would probably also need DNS too.
      It would be good to post the config so we can have a look.
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: ASA 5505 - lets ALL outbound traffic out?

        Thanks guys, I'll post a config when I get in the office in a few hours. Unfortunately I know my last export was done when I basically yanked all my rules out to look at the config and find out WHY all outbound traffic was allowed out.

        However, in poking around the Web and this forum some more, it looks like "allow all traffic out" is as-designed. But I always thought the implicit "deny all" would allow nothing in/out an interface until you had some "allow" rules in place.

        Brian

        Comment


        • #5
          Re: ASA 5505 - lets ALL outbound traffic out?

          My understanding is if you create an acl for outbound access, in this scenario, then a "deny any any" is created after it. The "allow all outbound" rule is beneath this (for all intents and purposes) and therefore never gets hit.
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: ASA 5505 - lets ALL outbound traffic out?

            Hi guys,

            I'm still not in a place where I can post my config yet, however, I did take a screenshot of my rules when I suddenly noticed that ALL traffic was still allowed out, such as SSH, FTP, ICMP pings, etc. Maybe I'm not understanding inside/outside entirely right and have my rules in the wrong place?

            Brian
            Attached Files

            Comment


            • #7
              Re: ASA 5505 - lets ALL outbound traffic out?

              Hi Brian,

              Looking at your ruleset, the first rule you have under "inside (2 implicit incoming rules)", you are doing an ip permit any any. What that means is that any traffic originating from behind your inside interface will be allowed. For example (Please forgive the ascii art):

              outside interface|----------|inside interface <--------- [internal network]

              When using extended ACL's it is best to place them closest to the source of your traffic. In your case change the direction of http/smtp/pop3/https ACLs to in.

              Ryan
              Last edited by ryansmitty; 2nd June 2008, 23:07.

              Comment


              • #8
                Re: ASA 5505 - lets ALL outbound traffic out?

                Ryan,

                Yes, that rule you pointed out makes sense. However, as I mentioned I cannot change or delete that implicit rule.

                And if I were to follow your recommendations for best practices, are you saying that I've setup all my http/https/pop3/etc. rules under the wrong area? I think you're definitely on to something, I just don't completely understand where I've gone wrong.

                Brian

                Comment


                • #9
                  Re: ASA 5505 - lets ALL outbound traffic out?

                  Brian,

                  I don't think the rules are set up in the "wrong area" per se, it just that some of your rules are being applied outbound (or originating from the inside interface) from the ASA's perspective. As another example:

                  [Internet] outside interface|-------------|inside interface
                  <------ rules applied outbound

                  Any rules using the outbound directive get applied when the traffic is leaving an interface. In your example, the ACLs you created to restrict traffic won't fire because from the perspective of the ASA the traffic originated from the inside interface itself. The ASA looks and sees that all traffic "originating" from the inside interface is allowed because it is trusted (has a higher security level) than the outside interface hence the "ip any any statement" on the.


                  Ryan
                  Last edited by ryansmitty; 2nd June 2008, 23:53.

                  Comment


                  • #10
                    Re: ASA 5505 - lets ALL outbound traffic out?

                    Ryan,

                    OHHHH! Ok, the synapses are firing a little bit now when I re-read your messages. I'm beginning to understand what you mean by the interfaces considering things inbound or outbound.

                    If I'm understanding your recommendations, it looks like I can keep my existing rules where they are, but change them to be processed "inbound" so that the inside interface will apply them correctly, is that right?

                    I really appreciate your patience. I think if the box was right in front of me I could take what you said and have this done lickety-split. However, I have a small window of time to be on the box tomorrow so I'm trying to get all my bases covered ahead of time.

                    Brian

                    Comment


                    • #11
                      Re: ASA 5505 - lets ALL outbound traffic out?

                      Brian,

                      I am glad that I can be of assistance. The thing I learned about ASA's/Pix's is that when creating rules thing in terms of how the ASA is going to process the packet.

                      Ryan

                      Comment

                      Working...
                      X