topic Cisco ASA 5505 Rule in Network Security

Cisco ASA 5505 Rule

davealessi — Tue, 12 Mar 2019 03:09:29 GMT

I have an ASA 5505 router. I have configured most of the rules, but have had assistance from online forums and outside consultants

configuring some rules. There is one in my configuration that I do not understand, and I do not remember entering it myself. The rule is blocking traffic

when a server on the private side tries to send http traffic to itself. Not sure what the purpose of the rule is or why it is there.

When I click on rule 35, it highlights both 35 and 36.

# Type Source destination service interface address service DNS Rewrite Max TCP Ebbronic Limit Max UDP... Randomize Seq #

--- ------- ------- ------------ -------- --------- ------- ---------- ------------- ------------- ------------------- ---------------- ----------------

35 Dynamic any <blank> <blank> inside inside <blank> <blank> Unlimited Unlimited Unlimited <checked>

36 <blank> <blank> <blank> <blank> outside outside <blank> <blank> Unlimited Unlimited Unlimited

I am hesitant to delete the rule until I know the purpose.

I am not sure but the rule below may be what is generatig it (I am not familiar withg command line commands):

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.34.249.193 1

Can someone tell me whay this is for, or what it is doing?

Re: Cisco ASA 5505 Rule

johnlloyd_13 — Tue, 26 Nov 2013 05:54:42 GMT

hi,

just to make sure, you may want to schedule a maintenance window if you want to make changes on your FW ACL.

refer to comments on the said 2 lines.

access-group outside_access_in in interface outside <<< ACL with name "outside_access_in" is applied "inbound" on the "outside" interface

route outside 0.0.0.0 0.0.0.0 209.34.249.193 1 <<< static default route towards the "outside" interface hops to IP 209.34.249.193 with metric/AD of 1.

Re: Cisco ASA 5505 Rule

davealessi — Tue, 26 Nov 2013 11:27:34 GMT

I do not understand your response. Can you explain the effect of these rules?

Cisco ASA 5505 Rule

Jouni Forss — Tue, 26 Nov 2013 11:47:49 GMT

Hi,

Basically what John said above, the below configurations do the following

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.34.249.193 1

The following command

access-group outside_access_in in interface outside

Tells the ASA to use an "access-list" named "outside_access_in" in your interface named "outside". As you can see the the direction is mentioned as "in" so it controls traffic INCOMING to the "outside" interface. So it controls traffic coming from the Internet towards your ASA (and past it to your internal network if you have configured Static NAT for some host)

There should be no need to touch this command!

The following command

route outside 0.0.0.0 0.0.0.0 209.34.249.193 1

Tells the ASA the default route for any network that is not in your local network. It tells the ASA to send traffic to any destination address that it doesnt have better information to the ISP gateway which is the last IP address mentioned in the command.

There should be no need to touch this command!

Now, I am not sure what the original output refers to. It looks to me something that you have perhaps gotten from the ASDM GUI? The graphical interface used to manage the ASA? I don't personally use it myself so I would prefer to see the same on the CLI format

They seem to be some configurations that utilize the interface IP addresses of "inside" and "outside" in the translations. The 35 seems to be some sort of Dynamic PAT probably. Not sure of the other one.

You could probably find the CLI format output with the commands

show run global

show run nat

show run static

- Jouni

Cisco ASA 5505 Rule

davealessi — Tue, 26 Nov 2013 12:24:06 GMT

I used Packet Tracer (a GUI tool) to determine which NAT rule was blocking the traffic I am trying to allow. It was rule 35 & 36 as shown in my original post. I attempted to correlate the gui rule to the cli. I don't know if i picked the correct cli rule or not. That is why I showed both of them.

Since rule 35 is dynamic, I tried:

Result of the command: "show run dynamic"

crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

This rule is part of the VPN setup I think, which would make sense because I had a consultant set it up for me.

Result of the command: "show run global"

global (inside) 1 interface
global (outside) 1 interface
global (outside) 199 xxx.xxx.249.200

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 199 access-list Mail

nat (inside) 1 0.0.0.0 0.0.0.0

Result of the command: "show run static"

static (inside,outside) tcp xxx.xxx.235.13 ftp 192.168.1.20 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.200 smtp 192.168.1.119 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.196 www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.197 www 192.168.1.101 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.198 www 192.168.1.102 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.199 www 192.168.1.103 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.1 https 192.168.1.109 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.2 https 192.168.1.110 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.3 https 192.168.1.111 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.4 https 192.168.1.112 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.5 https 192.168.1.113 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.6 https 192.168.1.114 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.7 https 192.168.1.115 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.8 https 192.168.1.116 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.9 https 192.168.1.117 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.10 https 192.168.1.118 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.11 https 192.168.1.119 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.12 https 192.168.1.120 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.13 https 192.168.1.121 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.13 www 192.168.1.121 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.14 ftp 192.168.1.122 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.14 ftp-data 192.168.1.122 ftp-data netmask 255.255.255.255
static (inside,inside) tcp xxx.xxx.235.6 1443 192.168.1.40 1443 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.5 1443 192.168.1.40 1443 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.197 1080 access-list Nat1
static (inside,outside) tcp xxx.xxx.249.198 1080 access-list Nat2
static (inside,outside) tcp xxx.xxx.249.198 2080 access-list Nat4
static (inside,outside) tcp xxx.xxx.249.197 2080 access-list Nat3
static (inside,outside) tcp xxx.xxx.249.199 1080 access-list Nat5
static (inside,outside) tcp xxx.xxx.249.199 2080 access-list Nat6
static (outside,inside) 192.168.1.50 xxx.xxx.249.200 netmask 255.255.255.255
static (inside,inside) xxx.xxx.249.197 192.168.1.50 netmask 255.255.255.255

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 199 access-list Mail
nat (inside) 1 0.0.0.0 0.0.0.0

I included other cli but changes the ip addresses.

I am trying to allow my server behind the firewall to send http traffic to itself. Currently blocked by rule 35&36 in the gui.

Cisco ASA 5505 Rule

Jouni Forss — Tue, 26 Nov 2013 13:10:46 GMT

Hi,

Why does the server need to connect to itself and why would that traffic go through the firewall when it connects to itself?

Do you mean that the server is actually connecting to the public IP address of the server while the server locally has a private IP address?

If that is the situation then we would need the output of the following "packet-tracer" command

packet-tracer input inside tcp 12345

If the server needs to send traffic to the public IP address then you would need a NAT between "inside" and "inside" interface. You actually seem to have one such configuration at the end of the listing.

static (inside,inside) netmask 255.255.255.255

- Jouni

Cisco ASA 5505 Rule

jumora — Tue, 26 Nov 2013 14:11:17 GMT

Yeah, Jouni is right, it is up to you if you want to XXXX part of the IP addressing but without detailed outputs we can´t give you an answer, please post the packet-tracer,

Value our effort and rate the assistance!

Cisco ASA 5505 Rule

jumora — Tue, 26 Nov 2013 14:13:18 GMT

Also post the version that you are running on the ASA, if this is hair pining then we would suggest the commands that you need.

Value our effort and rate the assistance!

Cisco ASA 5505 Rule

jumora — Tue, 26 Nov 2013 14:18:14 GMT

From the post you have the next that helps with hair pining configuration:

global (inside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

As Jouni said there are a couple of NAT commands that have the (inside,inside) defined that could be related to the destination IP that your local server needs to reach.

I don´t see the next command on your post that needs to be added for traffic to be allowed to U turn.

same-security-traffic permit inter-interface

Value our effort and rate the assistance!

Re: Cisco ASA 5505 Rule

Jouni Forss — Tue, 26 Nov 2013 14:27:24 GMT

Hi,

Both the ASDM Copy/paste the the current NAT configuration already tell us that its software level 8.2 or something below it.

The command needed for U-turn traffic would be

same-security-traffic permit intra-interface

Current settings can be viewed with

show run same-security-traffic

But as stated, there is not enough information for us to determine what the problem is.

Would need to know the source and destination IP address and services. The "packet-tracer" would tell us all that information (or it could be mentioned separately) and the "packet-tracer" would also tell us where the traffic fails.

There are a few configurations that point to a setup U-turn setup already but we can be sure when we dont know the IP addresses related to the connection.

- Jouni

Re: Cisco ASA 5505 Rule

jumora — Tue, 26 Nov 2013 14:48:50 GMT

I´m not sure how you determined that, static nat and pat configuration are the same from 7.0 to 8.2 and packet-tracer is allowed since 7.2, the reason that I ask is if he posts the version and the correct configuration and it does not work we can lookup bugs

Value our effort and rate the assistance!

Cisco ASA 5505 Rule

jumora — Wed, 27 Nov 2013 05:05:31 GMT

Sorry Jouni, it seems that I don´t know how to read, you indicated 8.2 or under so I said the same thing thinking that you where indicating that it was running 8.2, but yeah, I asked the code just in case we need to lookup bugs.

Sorryyyyyyyyyyyyyyy

Cisco ASA 5505 Rule

davealessi — Wed, 27 Nov 2013 11:36:18 GMT

Additional Information:

The server is sending an http request to the public facing url, which gets dns resolved to an outside address that gets nat'ed to this server. If I put 192.168.1.40 => 192.168.1.40 in the packet tracer, it fails on rule 35/36. If I put 192.168.1.40 => it works in the packet tracer. It doesn't however work. If I go to my browser (on the target server) and try and hit the web site it doesn't pass.

Sounds like a "u-turn" rule is needed in the router. Is this possible?

Another consideration here is that I must hit the pulic url, not the ip. For example, this server hosts many web sites, and uses host header to resolve which site is being accessed. For example, site1.myserver.com, and site2.myserver.com. Both on same IP.

Is it possible to configure a rule to do the u-turn?