topic Re: ASA Firewall 5520 in Network Security

ASA Firewall 5520

Alfredo Bosca Bataller — Tue, 12 Mar 2019 03:51:37 GMT

Good moning from Spain,

I am in my first steps about ASA Firewalling. My issue is that have created a ACL to permit the traffic between inside zone to outside zone but don't work the ping between 192.168.0.2 to 172.16.0.1.

Attach the simple topology.

access-list inside extended permit ip any interface outside

access-group inside in interface inside

ASA Version 8.0(2)

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Ethernet0/1

nameif outside

security-level 0

ip address 172.16.0.1 255.255.255.252

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list inside extended permit ip any interface outside

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group inside in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

username alfredo password lu1LhTMEN9oBa4C3 encrypted privilege 15

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

http://networkingcontrol.wordpress.com/
#CCNP CSCO11962956

Re: ASA Firewall 5520

kcnajaf — Fri, 28 Feb 2014 11:06:01 GMT

Hi Alfredo,

I'm not a firewall guy but still 🙂

Traffic will be allowed from High- Security level interface (in your case from inside interface as it has security level of 100) to Low Security level (in your case outside interface as it has security level of 0) by default.ASA monitor all the traffic going from inside interface and allows the return traffic on outside interface for that flow by default with out any ACL.So you dont need an ACL from sending traffic from inside to outside. .

I would assume in your case this is not working because you are using ping. Ping is classified as ICMP traffic on not IP traffic. This is not working because by default ASA does not inspect ICMP traffic. Unless and until ASA inspect the any particular traffic on inside interface, it will not be allow the return traffic from higher to lower security levels by default

So two ways to make this work.

In your configuration there should be a default inspection class map. Please add no line "inspect icmp" to this class map and try the ping.

Try adding a new ACL will allow ICMP ECHO-REPLY traffic sourced from outside to inside and apply it on outside interface inbound direction.

Some thing like this

access-list ICMP permit icmp 172.16.0.0 netmask 255.255.255.0 any echo-reply

access-group ICMP in interface outside

Hope that help.

Regards

Najaf

Please rate when applicable or helpful !!!

Re: ASA Firewall 5520

vishaw jasrotia — Fri, 28 Feb 2014 11:29:48 GMT

Hello,

As per fire default policy , U can't the firewall interface IP from the other interface subnet.

As in your case u are accessing the outside interface IP form inside zone subnet (192.168.0.2 to 172.16.0.1).

So its not pinging.

We can ping the interface IP form respective interface subnet only.

Thanks

ASA Firewall 5520

Alfredo Bosca Bataller — Fri, 28 Feb 2014 19:50:43 GMT

I have configured your advices but don't work ping (echo-reply).

I have write:

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded

access-group OUTSIDE_IN_ACL in interface outside

Permit PING and TRACERT services.

Don't work pinging:

All configuration:

ASA# show run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 172.16.0.1 255.255.255.252
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN_ACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end

Najaf KC escribió:
Hi Alfredo,
I'm not a firewall guy but still 🙂
Traffic will be allowed from High- Security level interface (in your case from inside interface as it has security level of 100) to Low Security level (in your case outside interface as it has security level of 0) by default.ASA monitor all the traffic going from inside interface and allows the return traffic on outside interface for that flow by default with out any ACL.So you dont need an ACL from sending traffic from inside to outside. . 
I would assume in your case this is not working because you are using ping. Ping is classified as ICMP traffic on not IP traffic. This is not working because by default ASA does not inspect ICMP traffic. Unless and until ASA inspect the any particular traffic on inside interface, it will not be allow the return traffic from higher to lower security levels by default
So two ways to make this work.
In your configuration there should be a default inspection class map. Please add no line "inspect icmp" to this class map and try the ping.
or
Try adding  a new ACL will allow ICMP ECHO-REPLY traffic sourced from outside to inside and apply it on outside interface inbound direction.
Some thing like this
access-list ICMP permit icmp 172.16.0.0 netmask 255.255.255.0 any echo-reply
access-group ICMP in interface outside
Hope that help.
Regards
Najaf
Please rate when applicable or helpful !!!

http://networkingcontrol.wordpress.com/
#CCNP CSCO11962956

Re: ASA Firewall 5520

kcnajaf — Sat, 01 Mar 2014 05:30:13 GMT

Hi Alfredo,

Opps my mistake..I didnt realise that you are pinging the ASA interface itself 😞 My siggestion was based on the assumtion that you where trying to ping the outside ISP router interface on the diagram. I hope that you are able to ping the ISP router interface from the inside host with my suggested configurations.

Vishaw is correct here with regards to the ASA interface ping.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

Re: ASA Firewall 5520

Marius Gunnerud — Sat, 01 Mar 2014 09:48:19 GMT

By default the ASA will drop to the box ICMP packets to interfaces that are not the ingress interface, even if there is an ACL permitting such traffic. You would need to add the following command instead.

permit icmp

So since you are trying to ping the outside interface from subnet 192.168.0.0/24 you would need to add the following command.

permit icmp 192.168.0.0 255.255.255.0 outside

--
Please remember to rate and select a correct answer