Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA 5510: Access-List Task

ASA 5510: Access-List Task 1 year 7 months ago #38627

Hi everyone.

I got a question regarding ASA 5510 Configuration.

I need to deny a group of hosts access to Fileshares (SMB).
I tried to block Ports 445 and 139 (TCP), but It didnt work.

The other task is a bit more hard I guess.
The same hostgroup needs to be allowed access to one specific site via 80/443 and all other access to internet sites must be denied.

I have no Idea how to solve that, so I hope you can help me :-)
The administrator has disabled public write access.

ASA 5510: Access-List Task 1 year 7 months ago #38633

  • Chris
  • Chris's Avatar
  • Offline
  • Administrator
  • Posts: 1446
  • Thank you received: 13
  • Karma: 8
Harry,

you'll need to block the following ports/protocols in order to block SMB filesharing:

137/UDP
137/TCP
138/UDP
139/TCP
445/TCP

Let us know how it went.

Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
The administrator has disabled public write access.

ASA 5510: Access-List Task 1 year 6 months ago #38649

  • kev972
  • kev972's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Thank you received: 1
  • Karma: 2
It is on IOS 8.4(2).

object-group network MyHostGrp
network-object host 192.168.1.100
network-object host 192.168.1.101
network-object host 192.168.1.102
network-object host 192.168.1.103

object-group service DenySvcGrp
service-object tcp destination eq 137
service-object tcp destination eq 139
service-object tcp destination eq 445
service-object udp destination eq 137
service-object udp destination eq 138

object-group service PermitSvcGrp
service-object tcp destination eq 80
service-object tcp destination eq 443


access-list outside extended deny object-group <Services in question> <Host to deny services> <to any dest>


access-list outside extended permit object-group PermitSvcGrp object MyHostGrp any
access-list outside extended deny object-group MySvcGrp object MyHostGrp any
access-list outside extended deny ip object-group MyHostGrp any

access-group outside in interface outside


Did not have time to test it.
Need to sleep. I hope it works, let me know :pinch:
Last Edit: 1 year 6 months ago by kev972.
The administrator has disabled public write access.
Time to create page: 0.075 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup