There are lots of posts about locking down ASA configurations and generally getting FreePBX to be happy behind Cisco firewalls. We run our FreePBX hosts inside of a dedicated DMZ, and I tried to lock it down as tight as we reasonably could. FreePBX doesn’t seem to play nicely with http/https proxies that aren’t transparent, so we included rules to let it access a minimal number of outbound hosts. This ACL is for the outbound (from your DMZ) rules only; the inbound from public and private networks are reasonably straightforward. I’m not addressing QoS or traffic inspection either. This is an sanitized version of a working configuration; aside from any typos in the sanitization process it should just work. We used it to take a FreePBX host through the distro installation process and into production.
Suggestions for improvement are always welcome, however, I can’t troubleshoot your ASA configs for free (sorry). And obviously this configuration is provided at a courtesy; anyone using it accepts all of the risk and potential problems that may arise.
!
! External FQDNs that FreePBX wants to talk to
!
object network on-fqdn-mirrorlist.schmoozecom.net
fqdn mirrorlist.schmoozecom.net
object network on-fqdn-yum.schmoozecom.net
fqdn yum.schmoozecom.net
object network on-fqdn-mirrorlist.freepbxdistro.org
fqdn mirrorlist.freepbxdistro.org
object network on-fqdn-trunk1.freepbx.com
fqdn trunk1.freepbx.com
object network on-fqdn-trunk2.freepbx.com
fqdn trunk2.freepbx.com
object network on-fqdn-trunktrial1.freepbx.com
fqdn trunktrial1.freepbx.com
object network on-fqdn-trunktrial2.freepbx.com
fqdn trunktrial2.freepbx.com
object network on-fqdn-katanafpbx.schmoozecom.com
fqdn katanafpbx.schmoozecom.com
object network on-fqdn-mirror1.freepbx.org
fqdn mirror1.freepbx.org
object network on-fqdn-mirror2.freepbx.org
fqdn mirror2.freepbx.org
object network on-fqdn-registry.npmjs.org
fqdn registry.npmjs.org
object network on-fqdn-nodejs.org
fqdn nodejs.org
object network on-fqdn-github.com
fqdn github.com
object network on-fqdn-codeload.github.com
fqdn codeload.github.com
object network on-fqdn-register.digium.com
fqdn register.digium.com
object network on-fqdn-downloads.digium.com
fqdn downloads.digium.com
object network on-fqdn-push2.schmoozecom.com
fqdn push2.schmoozecom.com
object network on-fqdn-cryptonomicon.mit.edu
fqdn cryptonomicon.mit.edu
object network on-fqdn-pool.sks-keyservers.net
fqdn pool.sks-keyservers.net
object network on-fqdn-keyserver.ubuntu.com
fqdn keyserver.ubuntu.com
object network on-fqdn-keyserver.pgp.com
fqdn keyserver.pgp.com
object network on-fqdn-kickstart.freepbxdistro.org
fqdn kickstart.freepbxdistro.org
object network on-fqdn-ct.schmoozecom.net
fqdn ct.schmoozecom.net
!
! ICMP and TCP / UDP Object Groups
!
object-group icmp-type og-echo-request
icmp-object echo
icmp-object traceroute
object-group icmp-type og-icmp-replies
icmp-object echo-reply
icmp-object source-quench
icmp-object traceroute
icmp-object unreachable
object-group service og-web-tcp tcp
port-object eq www
port-object eq https
object-group service og-ldap-tcp tcp
port-object eq ldap
port-object eq ldaps
object-group service og-ldap-ad-gc-tcp tcp
port-object eq 3268
port-object eq 3269
group-object og-ldap-tcp
object-group service og-voip-ports-udp udp
port-object eq sip
port-object range 1024 65535
port-object eq tftp
object-group service og-sipstation-inbound-udp udp
port-object eq 5060
port-object eq 5160
port-object range 10000 20000
object-group service og-voip-ports-tcp tcp
port-object eq sip
port-object eq 83
port-object eq www
port-object eq 84
port-object eq 1443
port-object eq 3443
!
! Network Object Groups
!
object-group network og-rfc-1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network og-dns-servers
<Your internal DNS servers>
object-group network og-time-servers
<Your internal NTP servers>
object-group network og-active-directory-servers
<Your Active Directory Servers>
object-group network og-email-servers
<Your Email Servers>
object-group network og-extranets
<Your Extranet Partner Networks>
object-group network og-voip-servers-remote
<Your VoIP servers in other subnets>
object-group network og-voip-users-remote
<Your VoIP endpoints in other subnets>
object-group network og-freepbx-setup-servers
network-object object on-fqdn-cryptonomicon.mit.edu
network-object object on-fqdn-pool.sks-keyservers.net
network-object object on-fqdn-keyserver.ubuntu.com
network-object object on-fqdn-keyserver.pgp.com
network-object object on-fqdn-register.digium.com
object-group network og-freepbx-update-servers
network-object object on-fqdn-mirrorlist.schmoozecom.net
network-object object on-fqdn-mirrorlist.freepbxdistro.org
network-object object on-fqdn-yum.schmoozecom.net
network-object object on-fqdn-push2.schmoozecom.com
network-object object on-fqdn-mirror1.freepbx.org
network-object object on-fqdn-mirror2.freepbx.org
network-object object on-fqdn-registry.npmjs.org
network-object object on-fqdn-nodejs.org
network-object object on-fqdn-github.com
network-object object on-fqdn-codeload.github.com
network-object object on-fqdn-ct.schmoozecom.net
network-object object on-fqdn-downloads.digium.com
object-group network og-sipstation-external-registrars
network-object object on-fqdn-trunk1.freepbx.com
network-object object on-fqdn-trunk2.freepbx.com
network-object object on-fqdn-trunktrial1.freepbx.com
network-object object on-fqdn-trunktrial2.freepbx.com
object-group network og-sipstation-external-sms-servers
network-object object on-fqdn-katanafpbx.schmoozecom.com
clear config access-list acl-servers-freepbx-in-v1.00
access-list acl-servers-freepbx-in-v1.00 remark ################################################################################
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # FreePBX Servers - Inbound (to firewall)
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound To VoIP Servers
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-voip-servers-remote object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-voip-servers-remote object-group og-icmp-replies
access-list acl-servers-freepbx-in-v1.00 extended permit udp any4 object-group og-voip-servers-remote object-group og-voip-ports-udp
access-list acl-servers-freepbx-in-v1.00 extended permit tcp any4 object-group og-voip-servers-remote object-group og-voip-ports-tcp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound To VoIP Users
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-voip-users-remote object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-voip-users-remote object-group og-icmp-replies
access-list acl-servers-freepbx-in-v1.00 extended permit udp any4 object-group og-voip-users-remote object-group og-voip-ports-udp
access-list acl-servers-freepbx-in-v1.00 extended permit tcp any4 object-group og-voip-users-remote object-group og-voip-ports-tcp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound To SMTP Servers
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-email-servers object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit tcp any4 object-group og-email-servers eq smtp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound To LDAP Servers
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-active-directory-servers object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit tcp any4 object-group og-active-directory-servers object-group og-ldap-ad-gc-tcp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound To Webcache Servers
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-web-proxy-servers object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit tcp any4 object-group og-web-proxy-servers object-group og-outbound-web-proxy-tcp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound To DNS Servers
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-dns-servers object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit udp any4 object-group og-dns-servers eq domain
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound To Internal NTP Servers
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-time-servers object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit udp any4 object-group og-time-servers eq ntp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #####################################################
access-list acl-servers-freepbx-in-v1.00 remark #####################################################
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Devices with Internet Access - this section must be last!
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #####################################################
access-list acl-servers-freepbx-in-v1.00 remark #####################################################
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # First deny any more internal access
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended deny ip any4 object-group og-rfc-1918
access-list acl-servers-freepbx-in-v1.00 extended deny ip any4 object-group og-extranets
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound connections to FreePBX Update Servers
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-freepbx-update-servers object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit tcp any4 object-group og-freepbx-update-servers object-group og-web-tcp
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 object-group og-freepbx-setup-servers object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit tcp any4 object-group og-freepbx-setup-servers object-group og-web-tcp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound connections to SipStation Servers
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 any4 object-group og-echo-request
access-list acl-servers-freepbx-in-v1.00 extended permit icmp any4 any4 object-group og-icmp-replies
access-list acl-servers-freepbx-in-v1.00 extended permit udp any4 any4 object-group og-sipstation-inbound-udp
access-list acl-servers-freepbx-in-v1.00 extended permit tcp any4 object-group og-sipstation-external-sms-servers object-group og-web-tcp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Outbound connections to NTP
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended permit udp any4 any4 eq ntp
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark # Block all other traffic
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 extended deny ip any4 any4 log
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark #
access-list acl-servers-freepbx-in-v1.00 remark ################################################################################
access-group acl-servers-freepbx-in-v1.00 in interface servers-freepbx