Requirement
Existing connections are present, recently you are tasked to add rules to the firewall. A new server is added to provide FTP and HTTP service, another new workstation is added that is tasked to retrieve data from new server only.
New server is placed in security level 70 whereas the workstation is at 100. The objective of this placement is clear that there should not be any unsolicited traffic from new server into the workstation.
You should also allow icmp echo and traceroute to the new server to aid your troubleshooting. You should filter only the icmp that is needed.
Server is a passive station and workstation should not get any icmp echo request from the server the firewall should drop such echo request from the server.
This is a lab setup for proof of concept and as a note for myself.
Configuring inside interface
asa-2(config)# int vlan 100
asa-2(config-if)# ip address 192.168.100.1 255.255.255.0
asa-2(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
asa-2(config-if)# int e0/0
asa-2(config-if)# no shut
asa-2(config-if)# switchport mode access
asa-2(config-if)# switchport access vlan 100
Configuring server interface
asa-2(config-if)# int vlan 70
asa-2(config-if)# nameif server
INFO: Security level for “server” set to 0 by default.
asa-2(config-if)# security-level 70
asa-2(config-if)# ip address 192.168.70.1 255.255.255.0
asa-2(config-if)# int e0/1
asa-2(config-if)# no shut
asa-2(config-if)# switchport mode access
asa-2(config-if)# switchport access vlan 70
Group tcp and udp services
asa-2(config)# object-group service new_server tcp
asa-2(config-service)# port-object eq 21
asa-2(config-service)# port-object eq www
asa-2(config)# object-group service new_server_udp udp
asa-2(config-service)# port-object eq 69
asa-2(config-service)# exit
Create ACL
access-list inside->server extended permit tcp 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 object-group new_server log
access-list inside->server extended permit udp 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 object-group new_server_udp log
Group ICMP
asa-2(config)# object-group icmp-type server-conn-test
asa-2(config-icmp)# icmp-object echo
asa-2(config-icmp)# icmp-object source-quench
asa-2(config-icmp)# icmp-object unreachable
asa-2(config-icmp)# icmp-object time-exceeded
Add ICMP into ACL
access-list inside->server extended permit icmp 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 object-group server-conn-test log
Apply ACL
asa-2(config)# access-group inside->server in interface inside
(Optional) DHCPd
asa-2(config)# dhcpd address 192.168.70.10-192.168.70.20 server
asa-2(config)# dhcpd enable server
asa-2(config)# dhcpd address 192.168.100.10-192.168.100.20 inside
asa-2(config)# dhcpd enable inside
Include ICMP inspection
asa-2(config)# policy-map global_policy
asa-2(config-pmap)# class inspection_default
asa-2(config-pmap-c)# inspect icmp
ICMP is a stateless protocol, if you do not include icmp into inspection your echo-reply will be dropped by your inside interface for sure. The acl applied to the inbound direction of the inside interface merely allows your host to send an echo request. But since it is stateless the connection table will not include this traffic that went out, if ASA could not find a matching entry in its connection table your echo-reply will be dropped for sure.
