Using Cisco Access Control List to block a subnet

Question:

I have the following ClassB network 172.31.0.0/16 that I’m trying to create an access list for. I’d like to allow 172.31.240.0/24 but deny all else, so I’m looking the best way to accomplish this with 2 acl lines.

Answer:

The best way to accomplish the above is to explicitly allow the subnet you want and then deny the whole Class B network as following:

access-list 110 permit ip 172.31.240.0 0.0.0.255
access-list 110 deny ip 172.31.0.0 0.0.255.255

Another option with just one ACL entry would be to permit only the subnet 172.31.240.0/24 and thats it. No other ACL entries are needed since there is an implicit deny at the end of the access list statement.

Cisco ASA Firewall – Web Administration and Web VPN

Cisco ASA Firewalls (ASA 5500 series) offer several ways for remote administration and management of the devices such as SSH access, Telnet access, and Web HTTP access. The last one (HTTP access) makes use of the ASDM (Adaptive Security Device Manager) which is a powerful graphical application for administration and management of the firewall device. The ASDM application file is stored on the firewall’s flash and is accessed by a browser using HTTPs.

To gain access to the graphical ASDM Web management tool you need to enable the HTTPs server on the firewall, and allow HTTPs connections.

Enabling HTTPs Access

  1. Generate cryptographic keys for HTTPs
  2. Enable the web server on the firewall
  3. Specify which management PCs are allowed to access the device

Example:
ASA(config)# crypto key generate rsa modulus 1024
ASA(config)# write mem
ASA(config)# http server enable
ASA(config)# http 192.168.1.2 255.255.255.255 inside
ASA(config)# http 192.168.1.5 255.255.255.255 inside

The example above enables HTTPs access and allows access only from two IP addresses (192.168.1.2 and 192.168.1.5) from the inside interface of the firewall.

Now, in order to access the Graphical ASDM web interface from a PC (e.g from PC with address 192.168.1.2), just open a web browser and enter the URL https://<inside firewall IP address>

Web VPN

Web VPN (or SSL VPN, or clientless VPN) is a new type of remote VPN access using a browser with HTTPs protocol. A remote teleworker for example can access internal corporate services and resources by using  his/her secure browser. The teleworker just points the browser to the external public IP address of the corporate ASA firewall which authenticates the user and gives him secure access to the internal network.

However, if you use both ASDM and Web VPN on the same firewall interface, there is going to be a conflict since both of these services use the default HTTPs port (443). To avoid this conflict we can change the default listening port of the Web VPN service to something different than 443. Lets see an example:

Example:

ASA(config)# http server enable
ASA(config)# http 100.100.1.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside

On the example above, we enabled HTTP access for management (ASDM) on the outside interface, and also we have enabled webvpn access again on the outside using a different port (444). This way we avoid conflict of the two services (ASDM access listens on the default port 443 and webvpn listens on port 444).

In this case, in order for a remote teleworker to access the firewall on the outside he needs to point his browser to https://<external IP of Firewall>:444