topic Hi Alex, in Network Security

ASA inbound firewall

Alex MD — Tue, 12 Mar 2019 07:26:33 GMT

Hello Everyone.

I have a question regarding ASA 5505 firewall.

Outbound interface has sec level 0:

interface Vlan10
nameif outside
security-level 0

Created acl to filter site-to-site traffic and triggered tunnel filtering:

no sysopt connection permit-vpn

object network ipsec_subnet
subnet 192.168.11.0 255.255.255.248

access-list l2l-filter extended permit icmp any any
access-list l2l-filter extended permit tcp any object ipsec_subnet eq www
access-list l2l-filter extended permit tcp any object ipsec_subnet eq https
access-list l2l-filter extended permit tcp any object ipsec_subnet eq ftp

access-group l2l-filter in interface outside

Since I was working only with routers, as far as I understand, in theory ipsec peers should not be able to establish ipsec tunnels with ASA since I did not allow inbound UDP 500,4500 and ESP in l2l-filter ACL, but in reality tunnels are working.

Can you please explain why inbound ACL on outside interface allows incoming ipsec connections.

Thank you

Regards,

Alex

Hi Alex,

Aditya Ganjoo — Sat, 05 Mar 2016 17:23:27 GMT

Hi Alex,

Access-Lists applied to interfaces control traffic flowing through the ASA. To control traffic to the ASA you use Access-Lists with the control-plane option.

You may use control-plane access-list to filter the VPN connections to the ASA by blocking UDP 500,4500 or ESP.

For example:

ciscoasa(config)# access-list FILTER-VPN deny udp host host eq 500

ciscoasa(config)# access-list FILTER-VPN permit ip any any

ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane

The access list applied on the ASA by default using the access-group command only filters traffic passing THROUGH the ASA; it does not filter traffic TO the ASA. In short, we can say that the default access list applies to the data-plane not the control plane. There is an option that allows us to specify that an applied access list should be used for traffic destined to the ASA itself using the “control-plane” keyword in the access-group command.

Regards,

Aditya

Please rate helpful posts.

Hi Aditya,

Alex MD — Sat, 05 Mar 2016 19:54:26 GMT

Hi Aditya,

Thank you for the explanation! I have modified my configuration.

Added ACL

access-list Inbound_Filter extended permit icmp any any echo
access-list Inbound_Filter extended permit icmp any any echo-reply
access-list Inbound_Filter extended deny ip any any

Applied ACL with "control-plane" option

access-group Inbound_Filter in interface outside control-plane

But ipsec peers still can connect.

Here is my routing table.

5505(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 10.3.1.1 to network 0.0.0.0

C 192.168.11.0 255.255.255.248 is directly connected, ipsec
C 10.3.1.0 255.255.255.0 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, mgmt
S* 0.0.0.0 0.0.0.0 [1/0] via 10.3.1.1, outside

Pinging my default gateway

5505(config)# ping 10.3.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

But I do not see any matches/hits on applied ACL:

5505(config)# sho access-list Inbound_Filter
access-list Inbound_Filter; 3 elements; name hash: 0x61bc98a6
access-list Inbound_Filter line 1 extended permit icmp any any echo (hitcnt=0) 0x007dc0fa
access-list Inbound_Filter line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x6762f5f4
access-list Inbound_Filter line 3 extended deny ip any any (hitcnt=0) 0xf59102e3

Software version:

5505# sho version

Cisco Adaptive Security Appliance Software Version 9.1(4)

Can you please advice what am I doing wrong ?

Thank you

Best regards,

Alex

Answering my own question

Alex MD — Sat, 05 Mar 2016 22:01:04 GMT

Answering my own question above.

Don`t try to compare ASA rules with routers ones. By some reason even if you set deny ip any any it will still allow incoming connections, ASA does not care. Icmp, http, ssh is filtered the other way around.

I have modified my ACL, specified udp ports:

access-list Inbound_Filter line 2 extended deny object-group IPSEC any any (hitcnt=7) 0x5697f160
access-list Inbound_Filter line 2 extended deny esp any any (hitcnt=7) 0xbd4f4649
access-list Inbound_Filter line 2 extended deny ah any any (hitcnt=0) 0x0104ee40
access-list Inbound_Filter line 2 extended deny udp any any eq isakmp (hitcnt=0) 0x11afb0c0
access-list Inbound_Filter line 2 extended deny udp any any eq 4500 (hitcnt=0) 0xe07ed8e3

As the result, by unknown reason, tunnels are active, but no traffic in tunnel since ESP is blocked.

Can you please advice how to block incoming UDP traffic ?

Thank you

Regards,

Alex

Hi Alex,

Aditya Ganjoo — Sun, 06 Mar 2016 03:00:52 GMT

Hi Alex,

The only way to block the UDP 500 traffic is to use a control-plane ACL.

We even see hits on the ACL :

access-list Inbound_Filter line 2 extended deny object-group IPSEC any any (hitcnt=7)

Did you try clearing the connection ?

Use 'clear conn all address <addr>' to clear up the connection.

Regards,

Aditya

Please rate helpful posts.

Hi Aditya,

Alex MD — Wed, 09 Mar 2016 18:55:41 GMT

Hi Aditya,

Indeed, after clearing connections everything worked like a charm.

Thank you for advice.

Best regards,

Alex