The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239852	CASA-FW-000010	SV-239852r665842_rule		High

Description
Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic. The firewall that filters traffic outbound to interconnected networks with different security policies must be configured to permit or block traffic based on organization-defined traffic authorizations.

Description

Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restricting detected harmful or suspicious communications between interconnected networks enforces approved authorizations for controlling the flow of traffic. The firewall that filters traffic outbound to interconnected networks with different security policies must be configured to permit or block traffic based on organization-defined traffic authorizations.

STIG	Date
Cisco ASA Firewall Security Technical Implementation Guide	2024-06-06

Details

Check Text ( C-43085r665840_chk )
Review the ASA configuration to determine if it only permits outbound traffic using authorized ports and services. Step 1: Verify that an ingress ACL has been applied to all internal interfaces as shown in the example below. interface GigabitEthernet0/0 nameif INSIDE security-level 100 ip address 10.1.11.1 255.255.255.0 … … … access-group INSIDE _IN in interface INSIDE Step 2: Verify that the ingress ACL only allows outbound traffic using authorized ports and services as shown in the example below. access-list INSIDE _IN extended permit tcp any any eq www access-list INSIDE _IN extended permit tcp any any eq https access-list INSIDE _IN extended permit tcp any any eq … access-list INSIDE _IN extended deny ip any any log If the ASA is not configured to only allow outbound traffic using authorized ports and services, this is a finding.

Check Text ( C-43085r665840_chk )

Review the ASA configuration to determine if it only permits outbound traffic using authorized ports and services.

Step 1: Verify that an ingress ACL has been applied to all internal interfaces as shown in the example below.

interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 10.1.11.1 255.255.255.0
…
…
…
access-group INSIDE _IN in interface INSIDE

Step 2: Verify that the ingress ACL only allows outbound traffic using authorized ports and services as shown in the example below.

access-list INSIDE _IN extended permit tcp any any eq www
access-list INSIDE _IN extended permit tcp any any eq https
access-list INSIDE _IN extended permit tcp any any eq …
access-list INSIDE _IN extended deny ip any any log

If the ASA is not configured to only allow outbound traffic using authorized ports and services, this is a finding.

Fix Text (F-43044r665841_fix)
Step 1: Configure the ingress ACL similar to the example below. ASA(config)# access-list INSIDE_INextended permit tcp any any eq https ASA(config)# access-list INSIDE_INextended permit tcp any any eq http ASA(config)# access-list INSIDE_INextended permit tcp any any eq … ASA(config)# access-list INSIDE_INextended deny ip any any log Step 2: Apply the ACL inbound on all internal interfaces as shown in the example below. ASA(config)# access-group INSIDE_IN in interface INSIDE ASA(config)# end

Fix Text (F-43044r665841_fix)

Step 1: Configure the ingress ACL similar to the example below.

ASA(config)# access-list INSIDE_INextended permit tcp any any eq https
ASA(config)# access-list INSIDE_INextended permit tcp any any eq http
ASA(config)# access-list INSIDE_INextended permit tcp any any eq …
ASA(config)# access-list INSIDE_INextended deny ip any any log

Step 2: Apply the ACL inbound on all internal interfaces as shown in the example below.

ASA(config)# access-group INSIDE_IN in interface INSIDE
ASA(config)# end