ASA CHAPTER 3 (ACCESS-LIST)
4.Implement the access policy outlined below.
• Permit the following incoming traffic:
o Incoming ping requests and replied to pings from the inside.
o FTP/HTTP/NTP traffic to R2.
o Returning traffic for the UNIX-style traceroute command.
• Permit the following types of outgoing traffic:
o Pings and replies to the pings sent from the outside.
o Outgoing packets for the UNIX-style traceroute command.
o Outgoing telnet, FTP, HTTP traffic
• . Use just two access-list named OUTSIDE_IN and OUTSIDE_OUT
applied ingress and egress to the “Outside” interface.
-->
Access-lists are your core instrument to implement traffic filtering in the ASA
firewalls. By default, the firewall unit permits sessions to be initiated from the
higher security level interface to the lower security level interfaces. This rule only
applies to the traffic inspected by the firewall, by dynamically opening holes in the
filtering logic for returning packets.
Using the access-lists allows you to do the following:
1) Permitting access from the lower security level interfaces to higher security
level interfaces.
2) Permitting return traffic for sessions that are not inspected by the ASA firewall
(e.g. for ICMP, which is not inspected by default, or for the traceroute command).
3) Filtering routing updates for OSPF and RIP routing processes (on a rare
occasion).
For (1) and (2) you need to use the extended access-list (the default type) which
allows matching on source and destination IP and TCP/UDP/ICMP protocols
information. For (3) you should use the standard access-lists that only match on
the source subnet.
Extended access-list could be applied either inbound or outbound to an interface.
Note that if you apply an access-list in the direction that matches traffic flow from
higher to lower security interface (e.g. ingress on the inside or egress on the
outside) you may prevent the automatically inspected traffic to flow across the
firewall. This is because every access-list has an implicit deny all statement in
the end. Most of the times you just need to apply the access-list ingress on the
lower security level interfaces to permit inbound traffic, and let the stateful
inspection engine do the rest of the work for you. In our example we use both
outgoing and incoming access-list for the sake of completeness.
To properly craft an access-list you need to know your protocol mechanics in
depth. For example you should know the default service ports (e.g. for FTP,
SMTP, WWW) and know how complicated commands like traceroute works.
Many protocols, like NTP or WWW use a single port number, which you could
learn by browsing the command-line help when configuring the access-list and
pressing the “?” key. Note that IOS routers usually give you more information on
port numbers in this manner than the ASA firewall does.
In our task, we permit inbound NTP, FTP and WWW sessions. Note that for FTP
we only open port 21. The inspection engine will automatically open holes for the
passive FTP connections if needed. Note that we enable inbound ICMP echoreplies, to allow the inside hosts to ping the hosts outside. By default they cannot
do this, as ICMP is not inspected. Alternatively, you may enable ICMP
inspection, as we will see later in the MPF tasks.
Note the amount of work needed to permit the traceroute command (UNIX-style)
which uses UDP probes. You need to allow the returning ICMP unreachables
along with the outgoing UDP packets for the default traceroute port range. Note
that if you don’t apply an outgoing ACL, there is no need to permit the outgoing
UDP packets, as those are inspected by default.
----> diagram:
Solution:
ASA1:
!
! Ingress ACL: Allow accessing the server
!
access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq ftp
access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
!
! Allow pings across the firewall
!
access-list OUTSIDE_IN extended permit icmp any any echo
access-list OUTSIDE_IN extended permit icmp any any echo-reply
!
! Allow traceroute return packets
!
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
!
!
! Egress ACL: permit ping packets
!
access-list OUTSIDE_OUT extended permit icmp any any echo
access-list OUTSIDE_OUT extended permit icmp any any echo-reply
!
! Permit outgoing traceroute packets
!
access-list OUTSIDE_OUT extended permit udp any any range 33434 33464
access-list OUTSIDE_OUT extended permit tcp any any eq ftp
!
! Permit telnet and HTTP access
!
access-list OUTSIDE_OUT extended permit tcp any any eq telnet
access-list OUTSIDE_OUT extended permit tcp any any eq www
!
! Apply the access-lists
!
access-group OUTSIDE_IN in interface outside
access-group OUTSIDE_OUT out interface outside
!
!! output !!
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 7 elements
access-list OUTSIDE_IN line 1 extended permit tcp any host 10.0.0.100 eq ftp (hitcnt=1) 0x8997bedf
access-list OUTSIDE_IN line 2 extended permit tcp any host 10.0.0.100 eq www (hitcnt=2) 0x59f08b76
access-list OUTSIDE_IN line 3 extended permit udp any host 10.0.0.100 eq ntp (hitcnt=0) 0x8189f120
access-list OUTSIDE_IN line 4 extended permit icmp any any echo (hitcnt=4) 0x869bdf05
access-list OUTSIDE_IN line 5 extended permit icmp any any echo-reply (hitcnt=0) 0xc857b49e
access-list OUTSIDE_IN line 6 extended permit icmp any any unreachable (hitcnt=0) 0xec6c9a23
access-list OUTSIDE_IN line 7 extended permit icmp any any time-exceeded (hitcnt=0) 0xc3b80d
access-list OUTSIDE_OUT; 6 elements
access-list OUTSIDE_OUT line 1 extended permit icmp any any echo (hitcnt=6) 0x4006da3f
access-list OUTSIDE_OUT line 2 extended permit icmp any any echo-reply (hitcnt=4) 0xd6d9967
access-list OUTSIDE_OUT line 3 extended permit udp any any range 33434 33464 (hitcnt=0) 0xde5f72ee
access-list OUTSIDE_OUT line 4 extended permit tcp any any eq ftp (hitcnt=0) 0xf47b788
access-list OUTSIDE_OUT line 5 extended permit tcp any any eq telnet (hitcnt=0) 0x2be5bbfe
access-list OUTSIDE_OUT line 6 extended permit tcp any any eq www (hitcnt=0) 0x8a4b160e
R1#telnet 10.0.0.100 25
Trying 10.0.0.100, 25 ...
% Connection timed out; remote host not responding
R1#telnet 136.1.122.2
Trying 136.1.122.2 ... Open
R1#telnet 10.0.0.100 80
Trying 10.0.0.100, 80 ... Open
get / http/1.1
4.Implement the access policy outlined below.
• Permit the following incoming traffic:
o Incoming ping requests and replied to pings from the inside.
o FTP/HTTP/NTP traffic to R2.
o Returning traffic for the UNIX-style traceroute command.
• Permit the following types of outgoing traffic:
o Pings and replies to the pings sent from the outside.
o Outgoing packets for the UNIX-style traceroute command.
o Outgoing telnet, FTP, HTTP traffic
• . Use just two access-list named OUTSIDE_IN and OUTSIDE_OUT
applied ingress and egress to the “Outside” interface.
-->
Access-lists are your core instrument to implement traffic filtering in the ASA
firewalls. By default, the firewall unit permits sessions to be initiated from the
higher security level interface to the lower security level interfaces. This rule only
applies to the traffic inspected by the firewall, by dynamically opening holes in the
filtering logic for returning packets.
Using the access-lists allows you to do the following:
1) Permitting access from the lower security level interfaces to higher security
level interfaces.
2) Permitting return traffic for sessions that are not inspected by the ASA firewall
(e.g. for ICMP, which is not inspected by default, or for the traceroute command).
3) Filtering routing updates for OSPF and RIP routing processes (on a rare
occasion).
For (1) and (2) you need to use the extended access-list (the default type) which
allows matching on source and destination IP and TCP/UDP/ICMP protocols
information. For (3) you should use the standard access-lists that only match on
the source subnet.
Extended access-list could be applied either inbound or outbound to an interface.
Note that if you apply an access-list in the direction that matches traffic flow from
higher to lower security interface (e.g. ingress on the inside or egress on the
outside) you may prevent the automatically inspected traffic to flow across the
firewall. This is because every access-list has an implicit deny all statement in
the end. Most of the times you just need to apply the access-list ingress on the
lower security level interfaces to permit inbound traffic, and let the stateful
inspection engine do the rest of the work for you. In our example we use both
outgoing and incoming access-list for the sake of completeness.
To properly craft an access-list you need to know your protocol mechanics in
depth. For example you should know the default service ports (e.g. for FTP,
SMTP, WWW) and know how complicated commands like traceroute works.
Many protocols, like NTP or WWW use a single port number, which you could
learn by browsing the command-line help when configuring the access-list and
pressing the “?” key. Note that IOS routers usually give you more information on
port numbers in this manner than the ASA firewall does.
In our task, we permit inbound NTP, FTP and WWW sessions. Note that for FTP
we only open port 21. The inspection engine will automatically open holes for the
passive FTP connections if needed. Note that we enable inbound ICMP echoreplies, to allow the inside hosts to ping the hosts outside. By default they cannot
do this, as ICMP is not inspected. Alternatively, you may enable ICMP
inspection, as we will see later in the MPF tasks.
Note the amount of work needed to permit the traceroute command (UNIX-style)
which uses UDP probes. You need to allow the returning ICMP unreachables
along with the outgoing UDP packets for the default traceroute port range. Note
that if you don’t apply an outgoing ACL, there is no need to permit the outgoing
UDP packets, as those are inspected by default.
----> diagram:
Solution:
ASA1:
!
! Ingress ACL: Allow accessing the server
!
access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq ftp
access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
!
! Allow pings across the firewall
!
access-list OUTSIDE_IN extended permit icmp any any echo
access-list OUTSIDE_IN extended permit icmp any any echo-reply
!
! Allow traceroute return packets
!
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
!
!
! Egress ACL: permit ping packets
!
access-list OUTSIDE_OUT extended permit icmp any any echo
access-list OUTSIDE_OUT extended permit icmp any any echo-reply
!
! Permit outgoing traceroute packets
!
access-list OUTSIDE_OUT extended permit udp any any range 33434 33464
access-list OUTSIDE_OUT extended permit tcp any any eq ftp
!
! Permit telnet and HTTP access
!
access-list OUTSIDE_OUT extended permit tcp any any eq telnet
access-list OUTSIDE_OUT extended permit tcp any any eq www
!
! Apply the access-lists
!
access-group OUTSIDE_IN in interface outside
access-group OUTSIDE_OUT out interface outside
!
!! output !!
ciscoasa# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_IN; 7 elements
access-list OUTSIDE_IN line 1 extended permit tcp any host 10.0.0.100 eq ftp (hitcnt=1) 0x8997bedf
access-list OUTSIDE_IN line 2 extended permit tcp any host 10.0.0.100 eq www (hitcnt=2) 0x59f08b76
access-list OUTSIDE_IN line 3 extended permit udp any host 10.0.0.100 eq ntp (hitcnt=0) 0x8189f120
access-list OUTSIDE_IN line 4 extended permit icmp any any echo (hitcnt=4) 0x869bdf05
access-list OUTSIDE_IN line 5 extended permit icmp any any echo-reply (hitcnt=0) 0xc857b49e
access-list OUTSIDE_IN line 6 extended permit icmp any any unreachable (hitcnt=0) 0xec6c9a23
access-list OUTSIDE_IN line 7 extended permit icmp any any time-exceeded (hitcnt=0) 0xc3b80d
access-list OUTSIDE_OUT; 6 elements
access-list OUTSIDE_OUT line 1 extended permit icmp any any echo (hitcnt=6) 0x4006da3f
access-list OUTSIDE_OUT line 2 extended permit icmp any any echo-reply (hitcnt=4) 0xd6d9967
access-list OUTSIDE_OUT line 3 extended permit udp any any range 33434 33464 (hitcnt=0) 0xde5f72ee
access-list OUTSIDE_OUT line 4 extended permit tcp any any eq ftp (hitcnt=0) 0xf47b788
access-list OUTSIDE_OUT line 5 extended permit tcp any any eq telnet (hitcnt=0) 0x2be5bbfe
access-list OUTSIDE_OUT line 6 extended permit tcp any any eq www (hitcnt=0) 0x8a4b160e
R1#telnet 10.0.0.100 25
Trying 10.0.0.100, 25 ...
% Connection timed out; remote host not responding
R1#telnet 136.1.122.2
Trying 136.1.122.2 ... Open
R1#telnet 10.0.0.100 80
Trying 10.0.0.100, 80 ... Open
get / http/1.1
No comments:
Post a Comment