topic Simple ACL help on Cisco ASA (packet tracer) in Network Security

Simple ACL help on Cisco ASA (packet tracer)

cisconotdisco — Fri, 21 Feb 2020 14:29:45 GMT

I'm learning how to configure a Cisco ASA using packet tracer and I have a very simple set of rules I need to add. I have other rules to add, as well, but I would like to use these to ask for help so I can know how to begin.

Not allow any incoming connections
Not allow any access to the external internet from internal
Systems be able to ping a particular server outside the firewall

I think I have my firewall configured correctly thus far. I've included my config below. I'm pretty lost as to how to begin and what order I need to place the rules. I've been doing my research but I'm still confused. Thank you very much!

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 35.32.17.254 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 32.35.17.1 255.255.255.0

access-list inside extended permit icmp any any

access-list outside extended permit icmp any any

access-group outside in interface outside

access-group outside in interface inside

telnet timeout 5

ssh timeout 5

dhcpd address 35.32.17.50-35.32.17.99 inside

dhcpd dns 17.35.32.153 interface inside

dhcpd enable inside

Re: Simple ACL help on Cisco ASA (packet tracer)

Marvin Rhoads — Sat, 14 Oct 2017 03:57:18 GMT

Here are some suggestions.

You have:

access-list inside extended permit icmp any any

access-list outside extended permit icmp any any

access-group outside in interface outside

access-group outside in interface inside

You don't need the outside ACL and associated access-group command. Since outside is untrusted nothing is allowed in by default unless it is part of an established connection or flow.

You incorrectly refer to the outside ACL in applying an ACL to inside interface. Furthermore that ACL should be more specific since you said you only want to be able to ping a specific server.

Finally you haven't shown us all of the config. There is a service-policy section in which you will need to specify icmp inspect. That will allow the icmp echo replies from your pings (icmp echo requests) to come back in through the firewall.

Re: Simple ACL help on Cisco ASA (packet tracer)

cisconotdisco — Sat, 14 Oct 2017 14:26:09 GMT

Thank you for your feedback! I have a few quick questions:

When I create/add to a list (ex: "access-list inside...."), that adds to the list in the order it was added, correct?
When I create an access group, ex: "access-group outside in interface inside", that applies whatever is in that list (ex. access-list outside), to the inside interface (so everything inside the firewall). Is that correct?
So, for me to not allow incoming connections from outside, I can just remove the outside ACL because of the implicit deny?
And, to not allow access to the external internet, I can create a policy in my "access-group inside" to block traffic on port 80 and 443?

Thanks again!

Re: Simple ACL help on Cisco ASA (packet tracer)

Flavio Miranda — Sat, 14 Oct 2017 15:20:25 GMT

Hi,

If you dont want to access anything on the internet you need just not config anything. Firewall will deny by default.

If you want to ping a host on the Internet you need to add a route on the firewall.

I understood that you are using Cisco Packet Tracer right? If does, this is a very simple firewall. You dont have packet inspect, for example.

-If I helped you somehow, please, rate it as useful.-

Re: Simple ACL help on Cisco ASA (packet tracer)

cisconotdisco — Sat, 14 Oct 2017 15:47:27 GMT

OK, this is making more sense.

Yes, I'm using packet tracer. So to ping to a specific server I just need to create a rule for inside traffic?

access-list inside permit icmp <insert IP>

Then, I need to apply it to the "access-group outside in interface outside".

Also, I need to remove the following, correct?

"access-list inside extended permit icmp any any

access-list outside extended permit icmp any any"

Thanks!!

Re: Simple ACL help on Cisco ASA (packet tracer)

Flavio Miranda — Sat, 14 Oct 2017 15:54:56 GMT

Yeah. That's correct.

Also, make sure it can route.

When playing with packet tracer you have the simulation mode where you can see the packet going back and forth and what it is wrong.

Try that.

-If I helped you somehow, please, rate it as useful.-