Cisco ASA- Is there a way to dynamically build and access list on a Ci

[sotdl]

We have a Cisco ASA firewall that was configured long time ago without any access list. Since there is no access list, the firewall permits any traffic in and out of the network which is obviously a security concern. What is the best way to create an access list/firewall policy without breaking the applications that traverse this firewall? Is there a way to dynamically build an access list on Cisco ASA? We have a ton of traffic going through these firewalls so it would take a very long time to put a sniffer on the network and identify the traffic flows. Any ideas on how to create a "loose" access-list/firewall policy that can protect the network at a minimum? We want to create a simple access list that can atleast protect the network from most basic forms of attacks without breaking our applications.

 

[North323]

acls can not be built dynamically. i would first take your inside network and allow basic functions like port 80 and 443 and maybe sql (1433) i would also down load cisco rat tool (router audit tool) this will make sure you have a good foundation. its a free tool

http://www.cisecurity.org/bench_cisco.html

 

[Supergrrover]

If there are no ACLs then all traffic is allowed out and all inbound is blocked. I don't agree with this but 90% of the population runs like this (with maybe a web or email server shared.)

now as an admin, it is your job to know exactly what is happening on your network. You need to know all the servers and services as well as router, firewall, wireless and switch topology. In short you need a full network documentation. It sucks to do but when disaster strikes you have something to start with.

Brent
Systems Engineer / Consultant
CCNP, CCSP