topic Re: ASA access-list on egress interface in Network Security

ASA access-list on egress interface

Vitaliy Opora JSC — Mon, 08 Apr 2019 08:24:40 GMT

Hi,

If I configure the ASA5506 with a bridge-group on the ingress interface, I need to apply an permit access-list on the egress interface to forward traffic.
If I use the same configuration, but without a bridge-group on the ingress interface, the traffic will be redirected without permitting an access-list on the egress interface.

Security-level on ingress interface 100, on BVI interface 100, on egress interface 0.

Please explain me why.

Sorry if my English is bad.

Re: ASA access-list on egress interface

Josiane de Barros Silva — Tue, 09 Apr 2019 12:25:19 GMT

Hi @Vitaliy Opora JSC

BVI (Bridge Virtual Interface) is required to configure bridge groups in a firewall transparently.
Each bridge group requires a management IP address. ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network. For IPv4 traffic, the management IP address is required to transmit any traffic.

Example :
ciscoasa (config) # interface bvI 1
Specify the management IP address for the bridge group.

ciscoasa (config-if) # endereço ip xxxx 255.255.255.0 espera xxxy

Source : https://www.techtutsonline.com/interface-configuration-in-cisco-asa-transparent-mode/

The ASA uses a level of security associated with each interface. It is a number between 0 and 100 that defines the reliability of the network to which the interface is connected; the higher the number, the more confidence you have in the network. For example, the most secure network, such as the internal LAN, must have a security level of 100. The external network connected to an untrusted network (such as the Internet) must be level 0. The interface connected to the DMZ must have the security level set to something between 1 and 99 (usually 50).

Security levels are used to define how traffic started from one interface can return from another interface. By default, top-level security interfaces can initiate traffic to a lower level

level 100 for the internal network
level 50 for the DMZ network
level 0 for the external network

By default, ASA will stop any initial traffic that is trying to move from lower security levels to higher levels of security. This means that, for example, a server on the external network can not start a conversion with the server in our DMZ network or with the host on the internal network. The server in the DMZ can initialize traffic out (from top to bottom, 50 to 0), but can not initialize a conversation indoors (from low to high, 50 trying to go to 100). The inside host can initiate traffic to the DMZ server and the Internet. When the server on the outside responds back to the internal host, the ASA will dynamically allow the return traffic.

Best Regards

Josiane

Twitter: SecureGirllNinja

Re: ASA access-list on egress interface

Vitaliy Opora JSC — Tue, 09 Apr 2019 14:57:36 GMT

Hi @Josiane de Barros Silva.

Thanks you for your reply. Without using bridge-group on ingress interface, it works correctly (traffic sent to ingress interface with high security level may exit the output interface with lower security level, and response from the remote host will be returned to the sender). But if bridge-group is used on the ingress interface, then to obtain a response from remote host, you need to apply permit access-list on the output interface.

Re: ASA access-list on egress interface

Josiane de Barros Silva — Tue, 09 Apr 2019 16:29:05 GMT

Hi @Vitaliy Opora JSC

Watching the Show run.
Is the output similar to the configuration below?

!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
!
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
!
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
!
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
!

Questions:
1- Do you need to make several changes to the firewall?
If the answer is yes, the setting will become complex.
2- Will this firewall be applied to a small business client?
If so, it would be feasible to use this type of configuration.

Josiane de Barros

Twitter:SecureGirlNinja

Re: ASA access-list on egress interface

Vitaliy Opora JSC — Wed, 10 Apr 2019 10:13:02 GMT

Hi @Josiane de Barros Silva

Thanks for your help

I checked the configuration again and I was find an error. I test the connection with ping, ASA block icmp reply, but connections work correctly. To fix this i will add:

policy-map global_policy
 class inspection_default
  inspect icmp

full config with bridge interface is:

ASA Version 9.8(2) 
!
interface GigabitEthernet1/1
 no shutdown
 nameif outside
 security-level 0
 ip address xx.xxx.xxx.xx 255.255.255.240 
!
interface GigabitEthernet1/2
 no shutdown
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
same-security-traffic permit inter-interface
object network obj_any1
 subnet 192.168.1.0 255.255.255.0
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
!
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
policy-map global_policy
 class inspection_default
  inspect icmp

full config without bridge interface:

ASA Version 9.8(2) 
!
interface GigabitEthernet1/1
 no shutdown
 nameif outside
 security-level 0
 ip address xx.xxx.xxx.xx 255.255.255.240 
!
interface GigabitEthernet1/2
 no shutdown
 nameif inside_1
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
object network obj_any1
 subnet 192.168.1.0 255.255.255.0
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
!
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.1.5-192.168.1.254 inside_1
dhcpd enable inside_1
!
policy-map global_policy
 class inspection_default
  inspect icmp

both configurations work correct, problem solved.

Re: ASA access-list on egress interface

Josiane de Barros Silva — Wed, 10 Apr 2019 17:29:44 GMT

Hi @Vitaliy Opora JSC

If you feel like contributing, it is like a vote of helpful help, so that we can continue to help whenever possible.

Good job

Thanks,

Josiane

Twitter:SecureGirlNinja