Security: Simple ASA setup

Server on the inside interface. Computer on the outside interface.

A friend of mine has recently done some ASA lab and found that he could not access the ESXi server located on the inside interface. His computer was on the outside interface. So I told him to use access-group myacl in interface outside and it should 100% worked. He told me this did not work… I was puzzled basically this was my expression >> o_O”

So he requested me to do a test using the above setup as shown in the diagram. He suspected traffic flowing from security level 0 to 100 might be denied even the ACL was applied. I thought how could this be possible, the default behaviour was indeed implicit deny for traffic from lower to higher security level but if an ACL was in place this behaviour should be override.

Nevertheless I promised to do a setup as shown.

Let’s see the result:

My laptop was on the outside interface got an ip address 192.168.10.11 from the dhcpd. The NAS on the inside interface got an ip address 192.168.100.10 from the dhcpd.

It worked as expected, because I allowed the pc to access the server from the outside interface to the inside interface.

TCP state table of the ASA. As you can see there's traffic from outside. The Flag UIOB means connection is Up, Inbound and Outbound Data and Sync initiated from outside. IO signifies two way traffic.

I guess his real problem is he did not no shutdown the physical switch interface of ASA5505, I have told him before that the physical interfaces were shutdown by default, you might have seen lights when you attached a cable and the interface vlan status is up up but the physical interfaces were all shutdown actually. Use show run int e0/0 (or other interface id) to verify.

Configuration

access-list outside->inside extended permit tcp object-group outside-network object-group pub-servers object-group pub-services log
access-group outside->inside in interface outside
interface Vlan10
 nameif outside
 security-level 0
 ip address 192.168.10.1 255.255.255.0
interface Vlan100
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
interface Ethernet0/0
 switchport access vlan 10
interface Ethernet0/1
 switchport access vlan 100

Default interface is shutdown even if you see lights on your switch

asa-1(config)# sh run int e0/3
!
interface Ethernet0/3
 shutdown
Advertisements
This entry was posted in ASA/PIX, Security and tagged , , . Bookmark the permalink.

One Response to Security: Simple ASA setup

  1. Joey says:

    Is it possible to set EIGRP bandwidth percent on an interface in the ASA?
    E.g. a command similar “ip bandwidth-percent eigrp 20 80”

    Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s