topic Re: block port on external ASA interface in Network Security

block port on external ASA interface

kapydan88 — Thu, 28 May 2020 09:33:57 GMT

Hello for everybody.

I need to allow tcp and udp 123 port on external asa interface from two external ntp servers and block from any other.

The following acl is currently applied on the external interface

access-list OUTSIDE_NAT extended permit icmp any4 any4
access-list OUTSIDE_NAT extended permit ip any4 any4
access-list OUTSIDE_NAT extended permit udp any4 any4
access-list OUTSIDE_NAT extended permit gre any4 any4

access-group OUTSIDE_NAT in interface <name_outside_int>
access-group OUTSIDE_NAT out interface <name_outside_int>

To block port tcp/udp 123 from external side, i need to create new acl

access-list OUTSIDE_NAT_EXT permit udp host <ip_first_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit tcp host <ip_first_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit udp host <ip_second_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT permit tcp host <ip_second_ntp_srv> host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT deny udp any4 host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT deny tcp any4 host <asa_ip_outside> eq 123
access-list OUTSIDE_NAT_EXT extended permit icmp any4 any4
access-list OUTSIDE_NAT_EXT extended permit ip any4 any4
access-list OUTSIDE_NAT_EXT extended permit udp any4 any4
access-list OUTSIDE_NAT_EXT extended permit gre any4 any4

And implement it in "in" direction of external asa interface

access-group OUTSIDE_NAT_EXT in interface <name_outside_int>

Is this correct?

Re: block port on external ASA interface

Rob Ingram — Thu, 28 May 2020 10:02:46 GMT

Hi,
I assume this ACL for traffic "through" the ASA and not "to" the ASA?
If traffic is going through the ASA and being NATTED, then you need to reference the real (private) ip address of the host, not the ASA's outside interface.

As you've defined a new ACL, you can only have 1 ACL applied to an interface in 1 direction, the existing ACL will no longer be applied "in" on the outside interface.
Yes, the direction will be "in"

HTH

Re: block port on external ASA interface

kapydan88 — Thu, 28 May 2020 10:13:57 GMT

Thanks for answer.

The current task sounds like "block tcp 123 and udp 123 for the external ip address of the asa and allow it only from two external ntp servers"... May be im wrong, but this is implemented through the acl on external interface.

"As you've defined a new ACL, you can only have 1 ACL applied to an interface in 1 direction, the existing ACL will no longer be applied "in" on the outside interface" - yes off course, asa works like router "only one acl in one direction".

Re: block port on external ASA interface

Rob Ingram — Thu, 28 May 2020 10:45:44 GMT

Are you natting to a device on the inside? The name of your ACL implies this.

If not and your want to block traffic destined to the ASA itself, then you’ll need a control-plane ACL applied.

Provide more information on this “task” in context, it would help understand the requirement easier.

Re: block port on external ASA interface

kapydan88 — Thu, 28 May 2020 10:50:45 GMT

In this particular case outside_nat - name of external asa interface. Thats why this acl that exists on it is called OUTSIDE_NAT. Yes, it has NAT implemented on it for pc/users/servers in inside part.

In case if you use the control-plane acl, you must add "control-plane" in the and of access-group?

access-group OUTSIDE_NAT_EXT in interface <name_outside_int> control-plane