ASA CHAPTER 4 (OBJECT-GROUP & ICMP Traffic )
5. Reduce above problem by creating Object Groups ?
• Create the following object groups:
o SERVERS containing the host 10.0.0.100.
o ROUTERS containing network 136.X.121.0/24 to it.
o COMMON_ICMP containing the ICMP types corresponding to the
ping and UNIX-style traceroute commands.
o TRC_PORTS containing the range of UDP ports 33434-33464.
o SERVER_PORTS containing TCP ports for HTTP and FTP.
o ROUTER_PORTS and add TCP ports corresponding to
Telnet/SSH in addition to port 7001 to the group.
• Reduce the size of the previously created access-lists using the object
groups just created.
6. ICMP Traffic Tunning for firewall .
• Configure the firewall such that no one could ping it. However, make sure
firewall itself is able to ping anyone.
• Additionally, make sure that pMTU discovery and traceroute work
successfully from the firewall.
• All other ICMP messages terminating on firewall interfaces should be
discarded.
-->
Objects groups allow simplifying large access-list configuration. You can group
objects of similar nature (e.g. a group networks and host, a collection of TCP
ports, a bunch of ICMP message types) and then reference them in access-lists.
Thus, instead of working with addresses and port number you can work with
higher level objects that reflect the logical structure of your network. For example
you may have object groups PUBLIC_HOSTING listing the publically accessible
servers and MANAGEMENT_SEGMENT listing the management stations along
with PUBLIC_PORTS group, listing the FTP, WWW, HTTPS ports. By building
your access-list out of objects groups, you make them more readable and
manageable, as you don’t need to add new ACL entries for every new public
server.
Object groups are very intuitive to use, and most time you will not face any
problems creating and configuring access-list using the object groups. However,
remember that object-groups are good for use with interface access-list, not the
access-lists used to building VPN proxy identities, such as split ACLs.
-->diagram:
ASA1:
!
! Define object groups
!
object-group network ROUTERS
network-object 136.1.121.0 255.255.255.0
!
object-group network SERVERS
network-object host 10.0.0.100
!
object-group icmp-type COMMON_ICMP
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
!
object-group service TRC_PORTS udp
port-object range 33434 33464
!
object-group service SERVER_PORTS tcp
port-object eq www
port-object eq ftp
!
object-group service ROUTER_PORTS tcp
port-object eq telnet
port-object eq ssh
port-object eq 7001
!
clear configure access-list OUTSIDE_IN
!
! Define access-lists
!
access-list OUTSIDE_IN permit icmp any any obj COMMON_ICMP
access-list OUTSIDE_IN permit udp any any obj TRC_PORTS
access-list OUTSIDE_IN permit tcp any obj SERVERS obj SERVER_PORTS
access-list OUTSIDE_IN permit tcp any obj ROUTERS obj ROUTER_PORTS
access-list OUTSIDE_OUT permit icmp any any obj COMMON_ICMP
access-list OUTSIDE_OUT permit udp any any obj TRC_PORTS
!
! Apply the access-lists
!
access-group OUTSIDE_IN in interface outside
access-group OUTSIDE_OUT out interface outside
output:
!
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 10 elements
access-list OUTSIDE_IN line 1 extended permit icmp any any object-group COMMON_ICMP 0x8ced5a
access-list OUTSIDE_IN line 1 extended permit icmp any any echo (hitcnt=1) 0x869bdf05
access-list OUTSIDE_IN line 1 extended permit icmp any any echo-reply (hitcnt=1) 0xc857b49e
access-list OUTSIDE_IN line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xc3b80d
access-list OUTSIDE_IN line 1 extended permit icmp any any unreachable (hitcnt=0) 0xec6c9a23
access-list OUTSIDE_IN line 2 extended permit udp any any object-group TRC_PORTS 0x2a19bcff
access-list OUTSIDE_IN line 2 extended permit udp any any range 33434 33464 (hitcnt=0) 0x61e01ad
access-list OUTSIDE_IN line 3 extended permit tcp any object-group SERVERS object-group SERVER_PORTS 0x4f4b05bf
access-list OUTSIDE_IN line 3 extended permit tcp any host 10.0.0.100 eq www (hitcnt=0) 0x59f08b76
access-list OUTSIDE_IN line 3 extended permit tcp any host 10.0.0.100 eq ftp (hitcnt=0) 0x8997bedf
access-list OUTSIDE_IN line 4 extended permit tcp any object-group ROUTERS object-group ROUTER_PORTS 0x93396844
access-list OUTSIDE_IN line 4 extended permit tcp any 136.1.121.0 255.255.255.0 eq telnet (hitcnt=0) 0xa78fa109
access-list OUTSIDE_IN line 4 extended permit tcp any 136.1.121.0 255.255.255.0 eq ssh (hitcnt=0) 0xb9aa2beb
access-list OUTSIDE_IN line 4 extended permit tcp any 136.1.121.0 255.255.255.0 eq 7001 (hitcnt=0) 0x919d2be3
access-list OUTSIDE_OUT; 5 elements
access-list OUTSIDE_OUT line 1 extended permit icmp any any object-group COMMON_ICMP 0x19df4a15
access-list OUTSIDE_OUT line 1 extended permit icmp any any echo (hitcnt=1) 0x4006da3f
access-list OUTSIDE_OUT line 1 extended permit icmp any any echo-reply (hitcnt=1) 0xd6d9967
access-list OUTSIDE_OUT line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0x1c223353
access-list OUTSIDE_OUT line 1 extended permit icmp any any unreachable (hitcnt=0) 0x38ddecbc
access-list OUTSIDE_OUT line 2 extended permit udp any any object-group TRC_PORTS 0x16015244
access-list OUTSIDE_OUT line 2 extended permit udp any any range 33434 33464 (hitcnt=0) 0xde5f72ee
!
all ping & trace-rout output will be same as previous chapter.
6. ICMP Traffic Tunning for firewall .
• Configure the firewall such that no one could ping it. However, make sure
firewall itself is able to ping anyone.
• Additionally, make sure that pMTU discovery and traceroute work
successfully from the firewall.
• All other ICMP messages terminating on firewall interfaces should be
discarded.
The firewall accepts ICMP messages by default. However, the firewall does not respond to
ICMP messages sent to the subnet broadcast address.
If you need to filter any specific ICMP message type, you should to create at
least one explicitICMP rule. This will automatically block all other ICMP message
types, until they are permitted explicitly. You can also deny an ICMP message
type explicitly for one subnet, while allowing it for some others. The ICMP rule
statement has the following syntax icmp {permit|deny} <subnet> <mask>
<interface>. You can use the keyword anyinstead of 0.0.0.0 0.0.0.0.
For example, if you want to allow the ASA to ping any outside destination, but do
not respond to echo requests, configure the following rule alone:
icmp permit any echo-reply outside
If you want the ASA to be able to perform traceroute operation, configure the
firewall to accept ICMP time-exceededand unreachablemessages. It is always
recommended to allow the firewall to accept unreachable messages, as the
message type: fragmentation required but DF bit set is used by the Path MTU
(mPTU) discovery process.
--> diagram:
ASA1:
icmp permit any echo-reply outside
icmp permit any echo-reply inside
icmp permit any echo-reply dmz
!
icmp permit any time-exceeded outside
icmp permit any unreachable outside
!
icmp permit any time-exceeded inside
!
icmp permit any unreachable inside
!
icmp permit any time-exceeded dmz
icmp permit any unreachable dmz
!
Note
Ping and traceroute off the firewall unit and see that the commands are working
now. At the same time, pinging the firewall unit itself would fail.
!
output: from asa everything is permitted , but to asa it is blocking :
ciscoasa# ping 136.1.121.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.121.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 136.1.122.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/30 ms
ciscoasa# ping 10.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/30 ms
ciscoasa# tr
ciscoasa# traceroute 136.1.121.1
Type escape sequence to abort.
Tracing the route to 136.1.121.1
1 136.1.121.1 30 msec * 10 msec
ciscoasa# tr
ciscoasa# traceroute 136.1.122.3
Type escape sequence to abort.
Tracing the route to 136.1.122.3
1 136.1.122.3 30 msec * 30 msec
at R1:
R1#traceroute 136.1.122.3
Type escape sequence to abort.
Tracing the route to 136.1.122.3
1 136.1.122.3 52 msec * 56 msec
R1#traceroute 136.1.121.12 ttl 0 3
Type escape sequence to abort.
Tracing the route to 136.1.121.12
0 * * *
1 * * *
2 * * *
3 * * *
5. Reduce above problem by creating Object Groups ?
• Create the following object groups:
o SERVERS containing the host 10.0.0.100.
o ROUTERS containing network 136.X.121.0/24 to it.
o COMMON_ICMP containing the ICMP types corresponding to the
ping and UNIX-style traceroute commands.
o TRC_PORTS containing the range of UDP ports 33434-33464.
o SERVER_PORTS containing TCP ports for HTTP and FTP.
o ROUTER_PORTS and add TCP ports corresponding to
Telnet/SSH in addition to port 7001 to the group.
• Reduce the size of the previously created access-lists using the object
groups just created.
6. ICMP Traffic Tunning for firewall .
• Configure the firewall such that no one could ping it. However, make sure
firewall itself is able to ping anyone.
• Additionally, make sure that pMTU discovery and traceroute work
successfully from the firewall.
• All other ICMP messages terminating on firewall interfaces should be
discarded.
-->
Objects groups allow simplifying large access-list configuration. You can group
objects of similar nature (e.g. a group networks and host, a collection of TCP
ports, a bunch of ICMP message types) and then reference them in access-lists.
Thus, instead of working with addresses and port number you can work with
higher level objects that reflect the logical structure of your network. For example
you may have object groups PUBLIC_HOSTING listing the publically accessible
servers and MANAGEMENT_SEGMENT listing the management stations along
with PUBLIC_PORTS group, listing the FTP, WWW, HTTPS ports. By building
your access-list out of objects groups, you make them more readable and
manageable, as you don’t need to add new ACL entries for every new public
server.
Object groups are very intuitive to use, and most time you will not face any
problems creating and configuring access-list using the object groups. However,
remember that object-groups are good for use with interface access-list, not the
access-lists used to building VPN proxy identities, such as split ACLs.
-->diagram:
ASA1:
!
! Define object groups
!
object-group network ROUTERS
network-object 136.1.121.0 255.255.255.0
!
object-group network SERVERS
network-object host 10.0.0.100
!
object-group icmp-type COMMON_ICMP
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
!
object-group service TRC_PORTS udp
port-object range 33434 33464
!
object-group service SERVER_PORTS tcp
port-object eq www
port-object eq ftp
!
object-group service ROUTER_PORTS tcp
port-object eq telnet
port-object eq ssh
port-object eq 7001
!
clear configure access-list OUTSIDE_IN
!
! Define access-lists
!
access-list OUTSIDE_IN permit icmp any any obj COMMON_ICMP
access-list OUTSIDE_IN permit udp any any obj TRC_PORTS
access-list OUTSIDE_IN permit tcp any obj SERVERS obj SERVER_PORTS
access-list OUTSIDE_IN permit tcp any obj ROUTERS obj ROUTER_PORTS
access-list OUTSIDE_OUT permit icmp any any obj COMMON_ICMP
access-list OUTSIDE_OUT permit udp any any obj TRC_PORTS
!
! Apply the access-lists
!
access-group OUTSIDE_IN in interface outside
access-group OUTSIDE_OUT out interface outside
output:
!
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 10 elements
access-list OUTSIDE_IN line 1 extended permit icmp any any object-group COMMON_ICMP 0x8ced5a
access-list OUTSIDE_IN line 1 extended permit icmp any any echo (hitcnt=1) 0x869bdf05
access-list OUTSIDE_IN line 1 extended permit icmp any any echo-reply (hitcnt=1) 0xc857b49e
access-list OUTSIDE_IN line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0xc3b80d
access-list OUTSIDE_IN line 1 extended permit icmp any any unreachable (hitcnt=0) 0xec6c9a23
access-list OUTSIDE_IN line 2 extended permit udp any any object-group TRC_PORTS 0x2a19bcff
access-list OUTSIDE_IN line 2 extended permit udp any any range 33434 33464 (hitcnt=0) 0x61e01ad
access-list OUTSIDE_IN line 3 extended permit tcp any object-group SERVERS object-group SERVER_PORTS 0x4f4b05bf
access-list OUTSIDE_IN line 3 extended permit tcp any host 10.0.0.100 eq www (hitcnt=0) 0x59f08b76
access-list OUTSIDE_IN line 3 extended permit tcp any host 10.0.0.100 eq ftp (hitcnt=0) 0x8997bedf
access-list OUTSIDE_IN line 4 extended permit tcp any object-group ROUTERS object-group ROUTER_PORTS 0x93396844
access-list OUTSIDE_IN line 4 extended permit tcp any 136.1.121.0 255.255.255.0 eq telnet (hitcnt=0) 0xa78fa109
access-list OUTSIDE_IN line 4 extended permit tcp any 136.1.121.0 255.255.255.0 eq ssh (hitcnt=0) 0xb9aa2beb
access-list OUTSIDE_IN line 4 extended permit tcp any 136.1.121.0 255.255.255.0 eq 7001 (hitcnt=0) 0x919d2be3
access-list OUTSIDE_OUT; 5 elements
access-list OUTSIDE_OUT line 1 extended permit icmp any any object-group COMMON_ICMP 0x19df4a15
access-list OUTSIDE_OUT line 1 extended permit icmp any any echo (hitcnt=1) 0x4006da3f
access-list OUTSIDE_OUT line 1 extended permit icmp any any echo-reply (hitcnt=1) 0xd6d9967
access-list OUTSIDE_OUT line 1 extended permit icmp any any time-exceeded (hitcnt=0) 0x1c223353
access-list OUTSIDE_OUT line 1 extended permit icmp any any unreachable (hitcnt=0) 0x38ddecbc
access-list OUTSIDE_OUT line 2 extended permit udp any any object-group TRC_PORTS 0x16015244
access-list OUTSIDE_OUT line 2 extended permit udp any any range 33434 33464 (hitcnt=0) 0xde5f72ee
!
all ping & trace-rout output will be same as previous chapter.
6. ICMP Traffic Tunning for firewall .
• Configure the firewall such that no one could ping it. However, make sure
firewall itself is able to ping anyone.
• Additionally, make sure that pMTU discovery and traceroute work
successfully from the firewall.
• All other ICMP messages terminating on firewall interfaces should be
discarded.
The firewall accepts ICMP messages by default. However, the firewall does not respond to
ICMP messages sent to the subnet broadcast address.
If you need to filter any specific ICMP message type, you should to create at
least one explicitICMP rule. This will automatically block all other ICMP message
types, until they are permitted explicitly. You can also deny an ICMP message
type explicitly for one subnet, while allowing it for some others. The ICMP rule
statement has the following syntax icmp {permit|deny} <subnet> <mask>
<interface>. You can use the keyword anyinstead of 0.0.0.0 0.0.0.0.
For example, if you want to allow the ASA to ping any outside destination, but do
not respond to echo requests, configure the following rule alone:
icmp permit any echo-reply outside
If you want the ASA to be able to perform traceroute operation, configure the
firewall to accept ICMP time-exceededand unreachablemessages. It is always
recommended to allow the firewall to accept unreachable messages, as the
message type: fragmentation required but DF bit set is used by the Path MTU
(mPTU) discovery process.
--> diagram:
ASA1:
icmp permit any echo-reply outside
icmp permit any echo-reply inside
icmp permit any echo-reply dmz
!
icmp permit any time-exceeded outside
icmp permit any unreachable outside
!
icmp permit any time-exceeded inside
!
icmp permit any unreachable inside
!
icmp permit any time-exceeded dmz
icmp permit any unreachable dmz
!
Note
Ping and traceroute off the firewall unit and see that the commands are working
now. At the same time, pinging the firewall unit itself would fail.
!
output: from asa everything is permitted , but to asa it is blocking :
ciscoasa# ping 136.1.121.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.121.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa# ping 136.1.122.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.122.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/30 ms
ciscoasa# ping 10.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/30 ms
ciscoasa# tr
ciscoasa# traceroute 136.1.121.1
Type escape sequence to abort.
Tracing the route to 136.1.121.1
1 136.1.121.1 30 msec * 10 msec
ciscoasa# tr
ciscoasa# traceroute 136.1.122.3
Type escape sequence to abort.
Tracing the route to 136.1.122.3
1 136.1.122.3 30 msec * 30 msec
at R1:
R1#traceroute 136.1.122.3
Type escape sequence to abort.
Tracing the route to 136.1.122.3
1 136.1.122.3 52 msec * 56 msec
R1#traceroute 136.1.121.12 ttl 0 3
Type escape sequence to abort.
Tracing the route to 136.1.121.12
0 * * *
1 * * *
2 * * *
3 * * *
No comments:
Post a Comment