ASA5505: Start from the easiest

Posted on June 26, 2011 by

Requirement

Existing connections are present, recently you are tasked to add rules to the firewall. A new server is added to provide FTP and HTTP service, another new workstation is added that is tasked to retrieve data from new server only.

New server is placed in security level 70 whereas the workstation is at 100. The objective of this placement is clear that there should not be any unsolicited traffic from new server into the workstation.

You should also allow icmp echo and traceroute to the new server to aid your troubleshooting. You should filter only the icmp that is needed.

Server is a passive station and workstation should not get any icmp echo request from the server the firewall should drop such echo request from the server.

This is a lab setup for proof of concept and as a note for myself.

Configuring inside interface

asa-2(config)# int vlan 100

asa-2(config-if)# ip address 192.168.100.1 255.255.255.0

asa-2(config-if)# nameif inside

INFO: Security level for “inside” set to 100 by default.

asa-2(config-if)# int e0/0

asa-2(config-if)# no shut

asa-2(config-if)# switchport mode access

asa-2(config-if)# switchport access vlan 100

Configuring server interface

asa-2(config-if)# int vlan 70

asa-2(config-if)# nameif server

INFO: Security level for “server” set to 0 by default.

asa-2(config-if)# security-level 70

asa-2(config-if)# ip address 192.168.70.1 255.255.255.0

asa-2(config-if)# int e0/1

asa-2(config-if)# no shut

asa-2(config-if)# switchport mode access

asa-2(config-if)# switchport access vlan 70

Group tcp and udp services

asa-2(config)# object-group service new_server tcp

asa-2(config-service)# port-object eq 21

asa-2(config-service)# port-object eq www

asa-2(config)# object-group service new_server_udp udp

asa-2(config-service)# port-object eq 69

asa-2(config-service)# exit

Create ACL

access-list inside->server extended permit tcp 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 object-group new_server log

access-list inside->server extended permit udp 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 object-group new_server_udp log

Group ICMP

asa-2(config)# object-group icmp-type server-conn-test

asa-2(config-icmp)# icmp-object echo

asa-2(config-icmp)# icmp-object source-quench

asa-2(config-icmp)# icmp-object unreachable

asa-2(config-icmp)# icmp-object time-exceeded

Add ICMP into ACL

access-list inside->server extended permit icmp 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 object-group server-conn-test log

Apply ACL

asa-2(config)# access-group inside->server in interface inside

(Optional) DHCPd

asa-2(config)# dhcpd address 192.168.70.10-192.168.70.20 server

asa-2(config)# dhcpd enable server

asa-2(config)# dhcpd address 192.168.100.10-192.168.100.20 inside

asa-2(config)# dhcpd enable inside

Include ICMP inspection

asa-2(config)# policy-map global_policy

asa-2(config-pmap)# class inspection_default

asa-2(config-pmap-c)# inspect icmp

ICMP is a stateless protocol, if you do not include icmp into inspection your echo-reply will be dropped by your inside interface for sure. The acl applied to the inbound direction of the inside interface merely allows your host to send an echo request. But since it is stateless the connection table will not include this traffic that went out, if ASA could not find a matching entry in its connection table your echo-reply will be dropped for sure.

Advertisements
This entry was posted in ASA/PIX, Security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s