topic Re: ASA 1150 FPWR - Does not block bgp to device in Network Security

ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 13:59:03 GMT

Hej
I am testing what traffic to allow and block directly with the block. I have the below configuration that should in theory block all traffic to device from a neighbor including BGP. But regardless the BGP session stays up .

I am wondering what I am missing

access-list DENY-ALL extended deny ip any any access-list DENY-ALL extended deny tcp any any access-group DENY-ALL in interface SD-WAN-1 control-plane access-group DENY-ALL in interface SD-WAN-1 interface Ethernet1/10.6 vlan 6 nameif SD-WAN-1 security-level 0 zone-member SD-WAN-1 ip address 172.16.6.1 255.255.255.0 standby 172.16.6.2 router bgp 8989 bgp log-neighbor-changes address-family ipv4 unicast neighbor 172.16.6.3 remote-as 666 neighbor 172.16.6.3 activate no auto-summary no synchronization

# show bgp summary BGP router identifier 172.16.66.1, local AS number 8989 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.6.3 4 666 236 195 3 0 0 03:33:36 0 172.16.7.3 4 666 237 195 3 0 0 03:33:36 0 ################################################################ ################################################################ # show bgp neighbors 172.16.6.3 BGP neighbor is 172.16.6.3, context single_vf, remote AS 666, external link BGP version 4, remote router ID 172.16.6.3 BGP state = Established, up for 03:34:08 Last read 00:00:10, last write 00:00:51, hold time is 180, keepalive interval is 60 seconds Neighbor sessions: 1 active, is not multisession capable (disabled) Neighbor capabilities: Route refresh: advertised and received(new) Four-octets ASN Capability: advertised and received Address family IPv4 Unicast: advertised and received Multisession Capability: Message statistics: InQ depth is 0 OutQ depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 1 1 Keepalives: 193 235 Route Refresh: 0 0 Total: 195 237 Default minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Session: 172.16.6.3 BGP table version 3, neighbor version 3/0 Output queue size : 0 Index 3 3 update-group member Sent Rcvd Prefix activity: ---- ---- Prefixes Current: 2 0 Prefixes Total: 4 0 Implicit Withdraw: 2 0 Explicit Withdraw: 0 0 Used as bestpath: n/a 0 Used as multipath: n/a 0 Outbound Inbound Local Policy Denied Prefixes: -------- ------- Total: 0 0 Number of NLRIs in the update sent: max 2, min 0 Address tracking is enabled, the RIB does have a route to 172.16.6.3 Connections established 5; dropped 4 Last reset 03:34:09, due to User reset of session 1 Transport(tcp) path-mtu-discovery is enabled Graceful-Restart is disabled

Re: ASA 1150 FPWR - Does not block bgp to device

MHM Cisco World — Wed, 27 Dec 2023 14:04:14 GMT

firepower# show conn long

can you share this,
the ACL will not work if there is already Conn in FPR
so if there is Conn then force the Peer to re-establish the BGP and check again
MHM

Re: ASA 1150 FPWR - Does not block bgp to device

Marvin Rhoads — Wed, 27 Dec 2023 14:16:33 GMT

Like @MHM Cisco World said. You could also clear the conn for just the peer addresses listed.

Also, the second Access-group command is for traffic THROUGH the firewall and thus not needed. You only need the control-plane ACL for traffic TO it.

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 15:47:16 GMT

fw01-tgl-cph(config)# show conn all long
13 in use, 26 most used

TCP SD-WAN-1: 172.16.6.3/179 (172.16.6.3/179) NP Identity Ifc: 172.16.6.1/10719 (172.16.6.1/10719), flags UO , idle 21s, uptime 1h44m, timeout 1h0m, bytes 1974
Initiator: 172.16.6.1, Responder: 172.16.6.3

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 15:34:48 GMT

Yeah I know, I just added it just in case it would work. ACL do work for transit traffic through the device but not to the device itself.

I did try to clear bgp connection but it says 0 connections eventhough there are 2 established essions

# clear conn protocol tcp port 179
0 connection(s) deleted.

# show bgp summary

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.6.3 4 666 105 86 3 0 0 01:32:27 0
172.16.7.3 4 666 345 283 3 0 0 05:11:15 0

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 16:10:40 GMT

I have cleared bgp sessions

clear conn protocol tcp port 30-65535 all

I saw state went to Idle, but then it established again.

I have added the interface to access-group on "out" direction as well since the ASA itself seems to be the initiator for the BGP

access-group DENY-ALL out interface SD-WAN-1

fw01-tgl-cph(config)# show conn all long protocol tcp address 172.16.6.3
13 in use, 26 most used

TCP SD-WAN-1: 172.16.6.3/179 (172.16.6.3/179) NP Identity Ifc: 172.16.6.1/30526 (172.16.6.1/30526), flags UO , idle 8s, uptime 5m29s, timeout 1h0m, bytes 283
Initiator: 172.16.6.1, Responder: 172.16.6.3

Re: ASA 1150 FPWR - Does not block bgp to device

MHM Cisco World — Wed, 27 Dec 2023 16:43:44 GMT

Yes if there is Conn' and in your case the ASA initiate the traffic so it builds conn so the Inbound ACL override by Conn and not work.

Then you can use Outbound or disable bgp.

MHM

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 17:27:47 GMT

I have configured ASA to be passive for bgp so other side is the initiator for BGP. And I can see it from the connection now.

TCP SD-WAN-1: 172.16.6.3/14740 (172.16.6.3/14740) NP Identity Ifc: 172.16.6.1/179 (172.16.6.1/179), flags UOB , idle 8s, uptime 1h1m, timeout 1h0m, bytes 1233
Initiator: 172.16.6.3, Responder: 172.16.6.1

But I still get BGP established even after clearing the conn. I can see BGP goes Idle and establishes later

My purpose is not to stop bgp, but to understand the behaviour of ASA in general.

Re: ASA 1150 FPWR - Does not block bgp to device

MHM Cisco World — Wed, 27 Dec 2023 17:47:57 GMT

How you config it as bgp passive' I see asa is initiator not responder.

MHM

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 18:15:33 GMT

172.16.6.3 = Remote device
172.16.6.1 = ASA

router bgp 8989
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 172.16.6.3 remote-as 666
neighbor 172.16.6.3 transport connection-mode passive

Re: ASA 1150 FPWR - Does not block bgp to device

MHM Cisco World — Wed, 27 Dec 2023 19:27:58 GMT

neighbor 172.16.6.3 transport connection-mode passive

All config is correct regarding bgp but still one thing' I check fastly and I dont get clear idea.

The zone with control plane' you config vlan6 with zone and security level 0.

The zone here in asa is different than zone in ftd.

Router have security zone

Asa (or firepower with asa image) have secuirty and zone (zone meanly for traffic not for security)

Ftd (firepower with ftd image) use security zone

So I remember you last post' I think you merge both zone and security in same interface and that explain this behavior.

Can you remove zone from vlan and re connect the bgp and check the control plane secuirty acl.

MHM

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 19:56:54 GMT

I have removed zone and still same result. So I am really confused right now.

access-list DENY-ALL extended deny ip any any access-list DENY-ALL extended deny tcp any any access-group DENY-ALL in interface SD-WAN-1 control-plane access-group DENY-ALL in interface SD-WAN-1 access-group DENY-ALL out interface SD-WAN-1 interface Ethernet1/10.6 vlan 6 nameif SD-WAN-1 security-level 0 ip address 172.16.6.1 255.255.255.0 standby 172.16.6.2

clear conn protocol tcp all address 172.16.6.3 1 connection(s) deleted. fw01-tgl-cph(config)# show bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.6.3 4 666 0 0 1 0 0 00:00:09 Idle 172.16.7.3 4 666 163 136 3 0 0 02:26:00 0 After roughly 3 min connection establishes again # show bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.6.3 4 666 0 0 1 0 0 00:02:54 Idle 172.16.7.3 4 666 166 138 3 0 0 02:28:45 0 fw01-tgl-cph(config)# show bgp summary Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 172.16.6.3 4 666 4 3 3 0 0 00:00:22 0 172.16.7.3 4 666 166 138 3 0 0 02:29:08 0 fw01-tgl-cph(config)# show conn protocol tcp all address 172.16.6.3 long TCP SD-WAN-1: 172.16.6.3/55225 (172.16.6.3/55225) NP Identity Ifc: 172.16.6.1/179 (172.16.6.1/179), flags UOB , idle 18s, uptime 2m2s, timeout 1h0m, bytes 207 Initiator: 172.16.6.3, Responder: 172.16.6.1

Re: ASA 1150 FPWR - Does not block bgp to device

MHM Cisco World — Wed, 27 Dec 2023 20:27:50 GMT

ciscoasa# show access-list DENY-ALL

Can you share this

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 20:33:43 GMT

# show access-list DENY-ALL
access-list DENY-ALL; 2 elements; name hash: 0xfa20fecd
access-list DENY-ALL line 1 extended deny ip any any (hitcnt=55) 0x42b7c013
access-list DENY-ALL line 2 extended deny tcp any any (hitcnt=0) 0xba274680

Re: ASA 1150 FPWR - Does not block bgp to device

MHM Cisco World — Wed, 27 Dec 2023 21:25:08 GMT

There is (hitcnt=55) so the acl is work' clear bgp and check hitcnt.

And also do you receive any prefix via bgp ?

MHM

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Wed, 27 Dec 2023 21:56:48 GMT

I have reset conn and cleared bgp. Session still establishes

# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
access-list DENY-ALL; 2 elements; name hash: 0xfa20fecd
access-list DENY-ALL line 1 extended deny ip any any (hitcnt=55) 0x42b7c013
access-list DENY-ALL line 2 extended deny tcp any any (hitcnt=0) 0xba274680

yes I do receive route from Peer with Deny ACL

# show route bgp

B 192.168.0.0 255.255.255.0 [20/0] via 172.16.6.3, 00:00:31

Re: ASA 1150 FPWR - Does not block bgp to device

MHM Cisco World — Thu, 28 Dec 2023 13:38:55 GMT

From yesterday I think about this issue

Now let check if it bug or not'

You deny all and there is no conn for icmp try ping from bgp peer and see if ping is success

Try telent and see if it success or not

Do that and each time monitor the acl hitcnt

Also do you use asa 9.18 or later ver.?

MHM

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Thu, 28 Dec 2023 14:51:02 GMT

fw01-tgl-cph(config)# show version

Cisco Adaptive Security Appliance Software Version 9.16(2)3
SSP Operating System Version 2.10(1.172)
Device Manager Version 7.16(1)

Before trying ping
fw01-tgl-cph(config)# show access-list DENY-ALL
access-list DENY-ALL; 2 elements; name hash: 0xfa20fecd
access-list DENY-ALL line 1 extended deny ip any any (hitcnt=59) 0x42b7c013
access-list DENY-ALL line 2 extended deny tcp any any (hitcnt=0) 0xba274680

I can ping from Remote device to ASA and it does not increase the hitcnt. I do not have icmp permit on that interface for the record as well.

If I try to telnet then telnet fails and I see incease in hitcnt

fw01-tgl-cph(config)# show access-list DENY-ALL
access-list DENY-ALL; 2 elements; name hash: 0xfa20fecd
access-list DENY-ALL line 1 extended deny ip any any (hitcnt=61) 0x42b7c013
access-list DENY-ALL line 2 extended deny tcp any any (hitcnt=0) 0xba274680

Re: ASA 1150 FPWR - Does not block bgp to device

MHM Cisco World — Sat, 30 Dec 2023 09:25:43 GMT

can you add Log to your acl and check if traffic hit the ACL or not
MHM

Re: ASA 1150 FPWR - Does not block bgp to device

oscardenizjensen — Sat, 30 Dec 2023 16:31:06 GMT

It looks like It denies the TCP connection, but after 3 min the remote host uses a different port 35858 and connection establishes.

fw01-tgl-cph(config)# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 52 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
ng buffered 6'
%ASA-5-111008: User 'admin' executed the 'logging buffered 7' command.
%ASA-5-111010: User 'admin', running 'CLI' from IP 10.255.0.141, executed 'logging buffered 7'
%ASA-7-111009: User 'admin' executed cmd: show running-config logging
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/33419 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/33419 to SD-WAN-1:172.16.6.1/179
%ASA-7-111009: User 'admin' executed cmd: show logging
%ASA-6-302014: Teardown TCP connection 23574 for SD-WAN-1:172.16.6.3/58074 to identity:172.16.6.1/179 duration 0:01:39 bytes 323 Host is removed
%ASA-7-609002: Teardown local-host SD-WAN-1:172.16.6.3 duration 0:01:39
%ASA-5-111008: User 'admin' executed the 'clear conn all address 172.16.6.3' command.
%ASA-3-418018: neighbor 172.16.6.3 Down Peer closed the session
%ASA-3-418018: neighbor 172.16.6.3 IPv4 Unicast topology base removed from session Peer closed the session
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-7-609002: Teardown local-host identity:172.16.66.1 duration 0:02:01
%ASA-7-609002: Teardown local-host SERVICE-666:172.16.66.2 duration 0:02:01
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-6-106015: Deny TCP (no connection) from 172.16.6.3/58074 to 172.16.6.1/179 flags FIN PSH ACK on interface SD-WAN-1
%ASA-7-710005: TCP request discarded from 172.16.6.3/58074 to SD-WAN-1:172.16.6.1/179
%ASA-7-609001: Built local-host SD-WAN-1:172.16.6.3
%ASA-6-302013: Built inbound TCP connection 23576 for SD-WAN-1:172.16.6.3/35858 (172.16.6.3/35858) to identity:172.16.6.1/179 (172.16.6.1/179)
%ASA-3-418018: neighbor 172.16.6.3 Up

Eventhough it is logged, the ACL hitcnt doesn't increase
fw01-tgl-cph(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list DENY-ALL; 3 elements; name hash: 0xfa20fecd
access-list DENY-ALL line 1 extended deny ip any any log informational interval 300 (hitcnt=0) 0x42b7c013
access-list DENY-ALL line 2 extended deny tcp any any log informational interval 300 (hitcnt=0) 0xba274680
access-list DENY-ALL line 3 extended deny icmp any any log informational interval 300 (hitcnt=0) 0xe4e3a9ec