[c-nsp] ASA
David White, Jr. (dwhitejr)
dwhitejr at cisco.com
Wed Feb 11 08:54:43 EST 2015
First, a couple things to be aware of on the ASA:
1) All inbound traffic (from unprotected --> protected network) is
Denied by default. You must explicitly permit the traffic you want via
an interface ACL.
2) All outbound traffic (from protected network --> unprotected network)
is Permitted by default
3) Security levels determine what is the protected vs. unprotected network.
So, assuming you are permitting those ports in access-list outside-in
(via a more broad ACE), then you can explicitly deny them by entering
the following:
access-list outside-in deny tcp any any eq 135
access-list outside-in deny ucp any any eq 135
[repeat for the other port numbers]. Note: these new ACEs would need to
be placed 'above' any existing rules which 'permit' traffic to those
ports, as the access-list is evaluated based on first match in the rule
table.
Finally, I highly suggest upgrading the software to a more recent
release. 7.2.3 is extremely old.
Sincerely,
David.
On 2/11/2015 3:26 AM, madunix at gmail.com wrote:
> I would like to block the following ports: 135,137,138,139,445,593,4444
> tcp/udp on my Firewall
>
> interface GigabitEthernet0/0
> nameif outside
> security-level 0
> ip address 10.16.0.4 255.255.255.0 standby 10.16.0.5
> !
> interface GigabitEthernet0/1
> nameif inside
> security-level 100
> ip address 10.6.80.5 255.255.255.0 standby 10.6.80.6
> !
>
> access-group outside-in in interface outside
> route outside 10.1.0.0 255.255.0.0 10.16.0.250 1
> route outside 10.1.0.0 255.255.0.0 10.16.1.250 10
>
> WAN-ASA# sh ver
>
> Cisco Adaptive Security Appliance Software Version 7.2(3) Device Manager
> Version 5.2(3)
>
> Regards,
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list