I'm trying to learn how to use a cisco ASA firewall, and I don't really know what I'm doing. I'm trying to set up some egress filtering, with the goal of allowing only the minimal amount of traffic out of the network, even if it originated from within the inside interface. In other words, I'm trying to set up dmz_in and inside_in ACLs as if the inside interface is not too trustworthy.
I haven't fully grasped all the concepts yet, so I have a few issues.
Assume that we're working with three interfaces: inside, outside, and DMZ.
Let's say I have a server (X.Y.Z.1) that has to respond to PING, HTTP, SSH, FTP, MySQL, and SMTP. My ACL looks something like this:
access-list outside_in extended permit icmp any host X.Y.Z.1 echo-reply
access-list outside_in extended permit tcp any host X.Y.Z.1 eq www
access-list outside_in extended permit tcp any host X.Y.Z.1 eq ssh
access-list outside_in extended permit tcp any host X.Y.Z.1 eq ftp
access-list outside_in extended permit tcp any host X.Y.Z.1 eq ftp-data established
access-list outside_in extended permit tcp any host X.Y.Z.1 eq 3306
access-list outside_in extended permit tcp any host X.Y.Z.1 eq smtp
and I apply it like this:
access-group outside_in in interface outside
My question is, what can I do for egress filtering? I want to only allow the minimal amount of traffic out. Do I just "reverse" the rules (i.e. the smtp rule becomes
access-list inside_out extended permit tcp host X.Y.Z.1 any eq smtp
) and call it a day, or can I further cull my options? What can I safely block?
Furthermore, when doing egress filtering, is it enough to apply "inverted" rules to the outside interface, or should I also look into making dmz_in and inside_in acls?
I've heard the term "egress filtering" thrown around a lot, but I don't really know what I'm doing. Any pointers towards good resources and reading would also be helpful, most of the ones I've found presume that I know a lot more than I do.
Best Answer
A little overview, before getting to the specifics. Each interface has two ACLs; an ingress ACL (named interface_in) and an egress ACL (named interface_out). The trick with the naming is to avoid thinking about it in terms of "inside" and "outside"; instead, think of it in terms of "traffic coming (into/out of) this interface".
This gives a lot of flexibility in terms of where you apply a given rule, but can also potentially be a huge source of unneeded complexity.
So, to your example. If you're looking to block connections on port 25 (smtp) that originate from an internal host and are destined for an internet host, you have two options:
access-list inside_in extended deny tcp host X.Y.Z.1 any eq smtpand
access-list outside_out extended deny tcp host X.Y.Z.1 any eq smtpIf you only have the two interfaces, these commands will have an identical effect. When this gets complex is when you have more interfaces; say, for instance, a DMZ interface.
The first command (on the inside_in ACL) will only prevent that traffic when it's going inside->outside, but not dmz->outside. The second command (on the outside_out ACL) would prevent both.
So, those are the options for where to apply egress rules. My suggestion for your own sanity is to only utilize one of the two options (and duplicate some rules if you have to); you'll be shooting yourself in the foot if you force yourself to check 5 different ACLs to troubleshoot one traffic flow.