topic ACL for Transparent ASA Port in Network Security

ACL for Transparent ASA Port

LANSK — Sat, 15 Feb 2020 12:43:57 GMT

Hello Experts,

I am am setting up an asa 5508 in transparent firewall. Created a BVI interface and join two inside interfaces to bridge. I am after to create an ACL that can permit only one host per interface

Interface BVI 44

ip add 10.1.1.3 255.255.255.0

interface giga 1/1

nameif in

sec level 100

bridge group 44

int giga 1/2

nameif in2

sec level 100

bridge group 44

network object in host 10.1.1.1

network object in2 host 10.1.1.2

wrote this

01. access-list acl_in extended permit ip object in any

apply access-group acl_in in interface in.

then i change the my machine's ip 10.1.1.40 and try to send a ping command to BVI interface. since the ACL is apply to Inbound traffic, I am expecting if i change the ip address of the machine it should not let me pass. can someone please help me to understand this correctly ?

Thanks a lot for your time.

Re: ACL for Transparent ASA Port

balaji.bandi — Sat, 15 Feb 2020 20:51:17 GMT

where is your device belong to - when you initiated traffic - connected to in-network or in2 network side?

post full config

Re: ACL for Transparent ASA Port

LANSK — Sun, 16 Feb 2020 16:19:08 GMT

Hello Balaji,

thank you for the reply. sure ,let me share the full config .

!
firewall transparent
interface GigabitEthernet1/1
bridge-group 44
nameif in
security-level 100
!
interface GigabitEthernet1/2
bridge-group 44
nameif in2
security-level 100
!
interface GigabitEthernet1/3
shutdown
no nameif
security-level 100
!
interface GigabitEthernet1/4
shutdown
no nameif
security-level 0
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 0
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 0
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 0
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 0
!
interface Management1/1
management-only
shutdown
no nameif
security-level 0
!
interface BVI44
description Virtual Interface
ip address 10.1.1.3 255.255.255.0
!
banner motd $ Un-authorized access to this device is prohibited $
boot system disk0:/asa982-lfbff-k8.SPA
ftp mode passive
clock timezone GST 4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PERMIT_1
host 10.1.1.1
object network PERMIT_2
host 10.1.1.2
access-list ACL_permitGiga01 extended permit ip object PERMIT_1 object PERMIT_2
access-list ACL_permitGiga02 extended permit ip object PERMIT_2 object PERMIT_1
!
snmp-map asa_snmp_map
deny version 1
deny version 2
!
pager lines 24
logging enable
logging asdm informational
mtu in 1500
mtu in2 1500

no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384

access-group ACL_permitGiga01 in interface in
access-group ACL_permitGiga02 in interface in2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no http server enable
no snmp-server location
no snmp-server contact
no service password-recovery
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 5
threat-detection basic-threat
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

: end

Traffic will start from 10.1.1.1 --> 10.1.1.2

Re: ACL for Transparent ASA Port

Sheraz.Salim — Sun, 16 Feb 2020 17:31:48 GMT

The interested bit are below

interface BVI44
description Virtual Interface
ip address 10.1.1.3 255.255.255.0
!
same-security-traffic permit inter-interface
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
object network PERMIT_1
host 10.1.1.1
!
object network PERMIT_2
host 10.1.1.2
!
access-list ACL_permitGiga01 extended permit ip object PERMIT_1 object PERMIT_2
access-list ACL_permitGiga02 extended permit ip object PERMIT_2 object PERMIT_1
!
access-group ACL_permitGiga01 in interface in
access-group ACL_permitGiga02 in interface in2

now if you configured your machine ip address 10.1.1.40 and ping BVI this will be successful. if you ping to from 10.1.140 to PERMIT_1/2 it will deny as your rule are very specific. This is how i see it.

Re: ACL for Transparent ASA Port

balaji.bandi — Sun, 16 Feb 2020 18:03:35 GMT

These subnets belong to the same network right and you have a rule here which allows.

same-security-traffic permit inter-interface

make sense?