topic Re: ASA5540 how to proper function. in Network Security

ASA5540 how to proper function.

htimskinorbit — Fri, 21 Feb 2020 16:01:31 GMT

I set up a basic configuration on a 5540. After testing, it seems that the device is letting everything in, Web traffic, imap(993), and several other things. I had intended to set up some access lists to allow certain things in from specific IP addresses(company corporate mail server), but I haven't done it yet. It seems everything is coming in anyway. The firewall is essentially doing nothing but address translation. I have PAT overload configured, nat(inside,outside) dynamic interface, since we only have one live IP address facing out to the world. Is this a side effect of using PAT that I am not aware of, that requires extra access list/groups to block everything coming in?

Re: ASA5540 how to proper function.

aaron.hackney — Thu, 26 Jul 2018 23:11:36 GMT

Hello,

Could you post a copy of your configuration with passwords or other sensitive data redacted?

Re: ASA5540 how to proper function.

Dennis Mink — Thu, 26 Jul 2018 23:44:24 GMT

you will need to apply the access list to the interfaces. what have you configured?

Re: ASA5540 how to proper function.

htimskinorbit — Fri, 27 Jul 2018 13:53:47 GMT

Im not near the device right now. It has default config from a clean
wipe.
2 interfaces configured as inside and outside with ip address inside and
setroute for outside.
I added the following.

conf t
inter gi 0/0
ip address 10.20.0.1 255.255.0.0
no shut
nameif inside
int gi 0/1
ip address dhcp setroute
nameif outside
no shut

route 0.0.0.0 0.0.0.0 192.168.1.1

access group LAN_IP's
subnet 10.20.0.0. 255.255.0.0
nat (inside,outside) dynamic interface

show Xlate - reveals the ip addresses being converted to the outside
interface ip address with different port numbers as it should. The problem
is that traffic is not blocked coming in. ASA is supposed to be a
statefull machine. Only allow traffic in that is return traffic for an
inside originating communication. Instead everything comes in....
I was going to add an access list to the outside interface to allow mail
traffic in from the corporate mail server, but I don't even need to. It
comes in anyway!

Re: ASA5540 how to proper function.

aaron.hackney — Fri, 27 Jul 2018 20:26:11 GMT

show access-list

show run access-group

And packet tracer should tell you exactly what is going on.

-A

Re: ASA5540 how to proper function.

htimskinorbit — Fri, 27 Jul 2018 20:54:47 GMT

I did that all ready. Shows exactly what it should. I don't have packet
tracer.

Re: ASA5540 how to proper function.

aaron.hackney — Fri, 27 Jul 2018 21:28:27 GMT

Hello,

Often I find a second set of eyes will expose something I have missed, which is we were are offering to take a look at the requested information above to answer your question.

If you are running ASA-code, then you do have a packer-tracer commands available.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html

Cheers,

-A