[c-nsp] ASA

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Wed Feb 11 08:54:43 EST 2015


First, a couple things to be aware of on the ASA:

1) All inbound traffic (from unprotected --> protected network) is
Denied by default.  You must explicitly permit the traffic you want via
an interface ACL.

2) All outbound traffic (from protected network --> unprotected network)
is Permitted by default

3) Security levels determine what is the protected vs. unprotected network.

So, assuming you are permitting those ports in access-list outside-in
(via a more broad ACE), then you can explicitly deny them by entering
the following:
  access-list outside-in deny tcp any any eq 135
  access-list outside-in deny ucp any any eq 135

[repeat for the other port numbers].  Note: these new ACEs would need to
be placed 'above' any existing rules which 'permit' traffic to those
ports, as the access-list is evaluated based on first match in the rule
table.

Finally, I highly suggest upgrading the software to a more recent
release.  7.2.3 is extremely old.

Sincerely,

David.


On 2/11/2015 3:26 AM, madunix at gmail.com wrote:
> I would like to block the following ports: 135,137,138,139,445,593,4444
>  tcp/udp on my Firewall
>
> interface GigabitEthernet0/0
>  nameif outside
>  security-level 0
>  ip address 10.16.0.4 255.255.255.0 standby 10.16.0.5
> !
> interface GigabitEthernet0/1
>  nameif inside
>  security-level 100
>  ip address 10.6.80.5 255.255.255.0 standby 10.6.80.6
> !
>
> access-group outside-in in interface outside
> route outside 10.1.0.0 255.255.0.0 10.16.0.250 1
> route outside 10.1.0.0 255.255.0.0 10.16.1.250 10
>
> WAN-ASA# sh ver
>
> Cisco Adaptive Security Appliance Software Version 7.2(3) Device Manager
> Version 5.2(3)
>
> Regards,
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list