ASA access lists and Egress Filtering
- by Nate
Hello. I'm trying to learn how to use a cisco ASA firewall, and I don't really know what I'm doing. I'm trying to set up some egress filtering, with the goal of allowing only the minimal amount of traffic out of the network, even if it originated from within the inside interface. In other words, I'm trying to set up dmz_in and inside_in ACLs as if the inside interface is not too trustworthy.
I haven't fully grasped all the concepts yet, so I have a few issues.
Assume that we're working with three interfaces: inside, outside, and DMZ.
Let's say I have a server (X.Y.Z.1) that has to respond to PING, HTTP, SSH, FTP, MySQL, and SMTP. My ACL looks something like this:
access-list outside_in extended permit icmp any host X.Y.Z.1 echo-reply
access-list outside_in extended permit tcp any host X.Y.Z.1 eq www
access-list outside_in extended permit tcp any host X.Y.Z.1 eq ssh
access-list outside_in extended permit tcp any host X.Y.Z.1 eq ftp
access-list outside_in extended permit tcp any host X.Y.Z.1 eq ftp-data established
access-list outside_in extended permit tcp any host X.Y.Z.1 eq 3306
access-list outside_in extended permit tcp any host X.Y.Z.1 eq smtp
and I apply it like this:
access-group outside_in in interface outside
My question is, what can I do for egress filtering? I want to only allow the minimal amount of traffic out. Do I just "reverse" the rules (i.e. the smtp rule becomes
access-list inside_out extended permit tcp host X.Y.Z.1 any eq smtp
) and call it a day, or can I further cull my options? What can I safely block?
Furthermore, when doing egress filtering, is it enough to apply "inverted" rules to the outside interface, or should I also look into making dmz_in and inside_in acls?
I've heard the term "egress filtering" thrown around a lot, but I don't really know what I'm doing. Any pointers towards good resources and reading would also be helpful, most of the ones I've found presume that I know a lot more than I do.