Cisco ASA: Firewall rule testing before deployment

Introduction

You want to segregate the network between users and servers network. Both the users and servers network is using the same subnet 192.168.20.0/24, to reduce the changes while implementing firewall and to test the firewall before it is deployed in between users and servers you have decided to do the following:

1. Use transparent firewall – This will allow the servers and users IP address remain unchange. The security zones are segregated based on layer 2 vlan tags, an additional vlan is defined as trusted/inside, while the existing vlan is defined as untrusted/outside. These two vlans are then bridged together.

2. Use SwitchPort ANalyzer (SPAN) and send the mirrored traffic to two interfaces of the transparent firewall. The transparent firewall interfaces have already had their security level defined.

SPAN session

SPAN or port mirroring is commonly used for troubleshooting, whereby the SPAN destination port is sent to protocol analyzer (wireshark) or sent to Intrusion Detection System (IDS), in this scenario the mirrored traffic is sent to the transparent firewall for inbound and outbound sessions.

Original deployment plan

Originally between user and server there is no restriction, you need to deploy the firewall to control the traffic between these hosts.

This is the original plan, vlan 20 and vlan 21 are bridged together. Server will change its vlan membership from vlan 20 to vlan 21, IP address of server is remained unchanged. When traffic from user is sent to server, the traffic goes through the transparent firewall, the transparent firewall will tag vlan 20 and vlan 21, the traffic destined to server after it goes through firewall will change tag from vlan 20 to vlan 21.

The purpose of transparent firewall is to protect the servers network, fa0/23 is the choke point that connects to the servers. Two SPAN sessions are created, both SPAN source is fa0/23, and the destination ports are fa0/21 and fa0/22. One SPAN session is transmit and send to fa0/21, this is the inbound traffic that is destined to the server. Another SPAN session is receive and send to fa0/22, this is the outbound traffic that is the traffic sent from the server.

Switch configuration


monitor session 1 source interface Fa0/23 tx
monitor session 1 destination interface Fa0/21
monitor session 2 source interface Fa0/23 rx
monitor session 2 destination interface Fa0/22

The SPAN destination port will be up down status.


mgmt_sw#sh int fa0/21 | in line protocol
FastEthernet0/21 is up, line protocol is down (monitoring)
mgmt_sw#sh int fa0/22 | in line protocol
FastEthernet0/22 is up, line protocol is down (monitoring)

You should see the destination interface to keep sending out mirrored traffic.


mgmt_sw#sh int fa0/21 | in line protocol|packets output.*bytes
FastEthernet0/21 is up, line protocol is down (monitoring)
9566 packets output, 754885 bytes, 0 underruns
mgmt_sw#sh int fa0/21 | in line protocol|packets output.*bytes
FastEthernet0/21 is up, line protocol is down (monitoring)
9624 packets output, 759435 bytes, 0 underruns
mgmt_sw#sh int fa0/21 | in line protocol|packets output.*bytes
FastEthernet0/21 is up, line protocol is down (monitoring)
9632 packets output, 760059 bytes, 0 underruns

Transparent firewall configuration

For this scenario, ASA5505 is used. ASA5505 configuration is a bit different from typical models of ASA. By default firewall is in router mode, to change from router to transparent use the command firewall transparent. Executing this command will reset your previous configuration to default, you should be awared to backup previous configuration before changing firewall mode.


ciscoasa(config)# sh firewall
Firewall mode: Transparent

Create additional vlan 21 and bridge vlan 20 and vlan 21.


interface vlan 21

nameif inside

bridge-group 2

interface vlan 20

nameif outside

bridge-group 2

Assign IP address to the bridge virtual interface.


interface bvi2

ip address 192.168.20.254 255.255.255.0

Check the IP address.


ciscoasa(config)# sh int ip brief | in 192.168.20.254
Vlan20 192.168.20.254 YES unset up up
Vlan21 192.168.20.254 YES unset up up
BVI2 192.168.20.254 YES manual up up

If you cannot see the IP address for your bridged interfaces, check if the interfaces have assigned nameif or not.

The entire configuration needed for ASA5505


!
interface BVI2
ip address 192.168.20.254 255.255.255.0

!
interface Vlan20
nameif outside
bridge-group 2
security-level 0

!
interface Vlan21
nameif inside
bridge-group 2
security-level 100
ciscoasa# sh run int e0/0
!

interface Ethernet0/0
switchport access vlan 20

!
interface Ethernet0/1
switchport access vlan 21

See the result

The denied IP events are generated because by default outside interface drops unsolicited traffic. Although there are denied IP events, the traffic between user and server is not disrupted.

To test the firewall, I inserted a rule to allow 192.168.20.2 to 192.168.20.1 and applied the rule at the outside interface inbound.

TCP state bypass
The TCP state bypass option originally is to solve problem during asymmetric routing the firewall drops the traffic because the TCP state was not available.

The test firewall is not in the flow of traffic, if you do not enable TCP-state-bypass option your firewall event will fire an event known as “Denied by Security Policy”, and the description is “deny tcp (no connection) from XXXXX to XXXXX flag XXX”.

This traffic is dropped because in firewall state table there is no TCP state that expects a TCP ACK to return.

To make the firewall rule testing easier to observe, you can turn on tcp-state-bypass option in the policy map and apply the policy to both inside and outside interfaces.

Step 1: Create an ACL

!This is for inbound traffic source from 192.168.20.2 to 192.168.20.1
access-list tcp-bypass-in extended permit ip host 192.168.20.2 host 192.168.20.1
!This is for outbound traffic source from 192.168.20.1 to 192.168.20.2
access-list tcp-bypass-out extended permit ip host 192.168.20.1 host 192.168.20.2

Step 2: Create a class-map that matches the ACL.

!
class-map tcp-bypass-out-class
 match access-list tcp-bypass-out
class-map tcp-bypass-in-class
 match access-list tcp-bypass-in
class-map inspection_default
 match default-inspection-traffic
!

Step 3: Create policy map and use the class map created, set the connection option tcp-state-bypass in the policy map.

!
policy-map tcp-bypass-in-policy
 class tcp-bypass-in-class
  set connection advanced-options tcp-state-bypass
!
policy-map tcp-bypass-out-policy
 class tcp-bypass-out-class
  set connection advanced-options tcp-state-bypass

Step 4: Apply the policy to inside and outside interfaces.

service-policy tcp-bypass-in-policy interface outside
service-policy tcp-bypass-out-policy interface inside

When FTP is connected.

When FTP request for file started.

outbound traffic, for the inside host, the default is used i.e. host from higher security level to lower security level will be allowed by default.

2 Responses to Cisco ASA: Firewall rule testing before deployment

H says:

March 24, 2014 at 3:01 pm

What if ASA has a lot of interfaces and passes through a lot of traffic.

cyruslab says:

March 25, 2014 at 12:01 am

Hi, your scenario is not very specific. You should plan out what security zone you want to assign your ASA interfaces. If your traffic is a lot, you can use SPAN filter to filter the to the specific IP address or subnet you need to test. If your source is a trunk interface, you can filter the specific vlan you want to test.