2

I am trying to block GotoMyPC traffic using a Cisco ASA 5505.

On gotomypc.com they say you can block all traffic to poll.gotomypc.com to stop all access.

What I have done is create a network group that contains the objects that referencethe IPs for gotomypc.com and poll.gotomypc.com (with poll.gotomypc.com being a host name/a record the IP could change - is there a way to reference the host name with the ASA instead of an IP?)

I set outside access rules from the source gotomypcgroup and blocked all traffic trying the following services: IP, TCP, UDP. however I am still able to connect using gotomypc.

If I create an inside rule it automatically create a rull to block all traffic from any - any that I can not edit, stopping all network traffic.

I used our dns proxy to block all traffic to poll.gotomypc.com and gotomypc.com, but I can not get the traffic blocked from the ASA itself. I also know the ASA has regex's for gotomypc but I am unsure how to use them.

Trying to figure out what I am doing wrong

Thanks.

Jeff
  • 1,089
  • 5
  • 26
  • 46

1 Answers1

3

When you create your first explicit rule on an interface, the implicit rule for the interface changes from "allow all traffic bound for a lower-security interface" to "deny any".

Assuming that your inside interface is your highest security interface, all you need to do to get back to your firewall's current behavior is add an "allow ip any any" under your "deny gotomypc" rule.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • right now on the inside interface there are 2 rules. any-anyless secure networks-ip-permit and any-any-ip-deny. We do have 3 remote locations that are connected using site-to-site vpn. will this break the site-to-site vpn with the remote locations? – Jeff Dec 09 '11 at 16:45
  • @Jeff Yeah, that's correct for the ACL; that's the default configuration when there's no actual access list applied to the interface. Nope, IPSec tunnels should not be affected. – Shane Madden Dec 09 '11 at 16:48
  • the inside interface now has 3 incoming rules. source-destination-server-action is as follows: gotomypc.com-any-ip-deny , any-any-ip-permit, any-any-ip-deny(non-editable). before I hit apply (middle of workday..) does this look correct? thanks. – Jeff Dec 09 '11 at 16:52
  • 1
    @Jeff Maybe wait until people are at lunch ;) But yeah, that looks good. – Shane Madden Dec 09 '11 at 16:55