CASA-FW-000250 - The Cisco ASA perimeter firewall must be configured to block all outbound management traffic - ACL

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The management network must still have its own subnet in order to enforce control and access boundaries provided by Layer 3 network nodes such as routers and firewalls. Management traffic between the managed network elements and the management network is routed via the same links and nodes as that used for production or operational traffic.

Safeguards must be implemented to ensure that the management traffic does not leak past the managed network's premise equipment. If a firewall is located behind the premise router, all management traffic must be blocked at that point, with the exception of management traffic destined to premise equipment.

Solution

Step 1: Configure the ingress ACL similar to the example below.

ASA(config)# access-list INSIDE_IN extended deny udp any any eq snmp
ASA(config)# access-list INSIDE_IN extended deny udp any any eq snmptrap
ASA(config)# access-list INSIDE_IN extended deny udp any any eq ntp
ASA(config)# access-list INSIDE_IN extended deny udp any any eq syslog
ASA(config)# access-list INSIDE_IN extended deny tcp any any eq 22
ASA(config)# access-list INSIDE_IN extended deny tcp any any eq tacacs
ASA(config)# access-list INSIDE_IN extended permit ip any any

Step 2: Apply the ACL inbound on the einternal interfaces as shown in the example below.

ASA(config)# access-group INSIDE_IN out interface INSIDE
ASA(config)# end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_ASA_Y22M04_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002403, Rule-ID|SV-239867r665887_rule, STIG-ID|CASA-FW-000250, Vuln-ID|V-239867

Plugin: Cisco

Control ID: 396a3d972a9d3a1a696be1c26644ce9cdaf23d20c9856438cc366dcf72dd100d