topic Re: Routing out through default Gateway in Network Security

Routing out through default Gateway

Mark Cavendish — Tue, 12 Mar 2019 02:14:35 GMT

We have our ASA 5540 in our hosting site and it has just been made the default gateway from our network out to the internet.

Inside hosts translate to the Outside cards Public IP address as you would expect when you route out.

Yet my problem is all inside hosts can route out to the Internet and have full rights to all services such as HTTP, HTTPS and FTP etc etc.

I can't see any rules allowing this and there is only rules for the Proxy Server and certain servers etc.

Our NAT rule covering this is:

object network obj-10.0.0.0

nat (Private,DMZ) static 10.0.0.0

object network obj_any

nat (Private,Public) dynamic interface

object network obj_any-01

nat (DMZ,Public) dynamic interface

I have tried to create deny rules, but hosts can still route out fully. Can someone point me in the right direction on what I can do to block these hosts fully unless they are specifally granted access?

Thanks in advance,

Mark

Routing out through default Gateway

Jouni Forss — Fri, 19 Jul 2013 15:27:19 GMT

Hi,

Judging by your "object network" names, they are meant to do Dynamic PAT for "any" source address behind the "DMZ" or "Private" interfaces. So it would seem that any host behind the ASA can be NATed.

Naturally ACLs also play a role on what traffic is allowed.

On a default ASA there is only "security-level" value which defines which traffic is allowed. And usually the interfaces which connect to your LAN and DMZ have higher "security-level" and therefore all traffic is allowed by default.

You say though that you have configured rules but they are not working?

Could you post your ACLs and also the output of the following command

show run access-group

This should tells us what kind of ACLs are configured and how they are attached to the interfaces.

- Jouni

Routing out through default Gateway

Mark Cavendish — Fri, 19 Jul 2013 15:46:58 GMT

Thanks Jouni for your help, we need Servers to be able to route out to the Internet without a Proxy specified, but want to permit what can.

Here is the first command:

ASA# sh run access-group
access-group Private_access_out out interface Private
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group Public_access in interface Public

Then these are the ACL's we have:

ACLS:

access-list Public_access remark Public Inbound Learning Live
access-list Public_access extended permit tcp any object LearningLIVE object-group DM_INLINE_TCP_0
access-list Public_access remark Public Inbound DEMSexernal Live
access-list Public_access extended permit tcp any object DEMSexternalLIVE eq https
access-list Public_access remark BT VPN Access (Self Managed)
access-list Public_access extended permit ip any object BT-VPN
access-list Public_access remark Public Inbound Web External Development
access-list Public_access extended permit tcp any object WebExDev object-group DM_INLINE_TCP_4
access-list Public_access remark Public Inbound Learning
access-list Public_access extended permit tcp any object LearningTest object-group DM_INLINE_TCP_1
access-list Public_access remark Public Inbound DEMS External
access-list Public_access extended permit tcp any object DEMSexternalTest eq https
access-list Public_access remark Public Inbound HTTP Webaccess
access-list Public_access extended permit tcp any object Gwava eq www
access-list Public_access remark Public Inbound E-Mail SMTP Trusted IP's
access-list Public_access extended permit tcp object-group DM_INLINE_NETWORK_1 object Gwava eq smtp
access-list Public_access remark Kineo Source Control Inbound
access-list Public_access extended permit tcp object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9 object-group TEST2222
access-list DMZ_access_out extended permit tcp object FSGGS3 object Gwava object-group DM_INLINE_TCP_9
access-list DMZ_access_out remark Internal Network to Gwava Mail Scanner
access-list DMZ_access_out extended permit tcp object Internal-Network object Gwava object-group DM_INLINE_TCP_7
access-list DMZ_access_out extended permit ip any object-group PCC-Ext-Servers
access-list DMZ_access_out remark Internal Network to PCC Servers
access-list DMZ_access_out extended permit ip object Internal-Network object-group PCC-Ext-Servers
access-list DMZ_access_out extended permit ip any object BT-VPN
access-list DMZ_access_out remark FSGGS3 E-Mail and Webaccess return traffic
access-list DMZ_access_out extended permit tcp any object Gwava eq www
access-list DMZ_access_out extended permit tcp any object Gwava eq smtp
access-list DMZ_access_in remark Ping/ICMP Testing with new GGS Setup
access-list DMZ_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list DMZ_access_in remark Outgoing Ports/Services to Internet
access-list DMZ_access_in extended permit tcp object Gwava any object-group DM_INLINE_TCP_2
access-list DMZ_access_in remark Incoming Ports/Services to Internal Network
access-list DMZ_access_in extended permit ip object-group PCC-Ext-Servers object Internal-Network
access-list DMZ_access_in remark Outgoing Ports/Services to Internet
access-list DMZ_access_in extended permit tcp object-group PCC-Ext-Servers any object-group DM_INLINE_TCP_3
access-list DMZ_access_in remark BT VPN Concentrator Outbound Full Access
access-list DMZ_access_in extended permit ip object BT-VPN any
access-list DMZ_access_in remark Gwava SMTP to iCritical SMTP Servers
access-list DMZ_access_in extended permit tcp object Gwava object-group DM_INLINE_NETWORK_2 eq smtp
access-list DMZ_access_in remark Gwava DNS and NTP to FSGGS1
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object Gwava object-group DM_INLINE_NETWORK_4
access-list DMZ_access_in remark Gwava E-Mail & Webacess to FSGGS3
access-list DMZ_access_in extended permit tcp object Gwava object FSGGS3 object-group DM_INLINE_TCP_6
access-list DMZ_access_in remark Kineo Source Control Outbound
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_6 object-group Kineo2222
access-list throttle_squid extended permit ip host 10.25.1.8 any
access-list throttle_squid extended permit ip any host 10.25.1.8
access-list Private_access_out remark Squid Proxy Server Outbound to Internet
access-list Private_access_out extended permit object-group DM_INLINE_SERVICE_1 object SquidProxyGGS interface Public
access-list Private_access_out remark Ping/ICMP Testing with new GGS Setup
access-list Private_access_out extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list Private_access_out remark Gwava Mail Scanner contact Internal Network for comms
access-list Private_access_out extended permit object-group TCPUDP object Gwava object-group DM_INLINE_NETWORK_3 eq domain
access-list Private_access_out remark PCC Servers contact Internal Network for GGS testing (temp)
access-list Private_access_out extended permit ip object-group PCC-Ext-Servers object Internal-Network
access-list Private_access_out remark FSGGS1 Timesync Public NTP Server
access-list Private_access_out extended permit udp object FSGGS1 83.170.75.0 255.255.255.0 eq ntp
access-list Private_access_out remark Team Visio Connection to PCC Servers
access-list Private_access_out extended permit tcp object WEBDEV host 195.13.14.26 object-group TeamVisio
access-list Private_access_out remark FSGGS3 E-Mail & Webaccess Return
access-list Private_access_out extended permit tcp object FSGGS3 object Gwava object-group DM_INLINE_TCP_10
access-list Private_access_out remark Gwava E-Mail & Webaccess
access-list Private_access_out extended permit tcp object Gwava object FSGGS3 object-group DM_INLINE_TCP_11
access-list Private_access_out remark Web Access Outbound from GGS Subnet
access-list Private_access_out extended permit tcp 10.25.0.0 255.255.0.0 interface Public object-group DM_INLINE_TCP_5
access-list Private_access_out remark OBS & Learning GGS Moves
access-list Private_access_out extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_5 interface Public
access-list Private_access_out remark Learning Data Live SFTP Uploads
access-list Private_access_out extended permit tcp object LearningDataLive host 215.138.172.187 object-group Kineo2222
access-list Private_access_out remark Servers that need access to the Internet without a Proxy.
access-list Private_access_out extended permit tcp object-group Servers-Internet-Access interface Public object-group DM_INLINE_TCP_8
access-list Private_access_out remark PCC manage Web server
access-list Private_access_out extended permit tcp any host 92.211.133.59 object-group VNC
access-list Private_access_out remark Citidirect Access for Finance. Legacy rule as exceptions still in Browser Policy.
access-list Private_access_out extended permit ip any object-group DM_INLINE_NETWORK_10
access-list Private_access_out remark PCC Access to their Server.
access-list Private_access_out extended permit ip any host 181.171.193.155
access-list Private_access_out extended permit tcp any host 196.13.14.26 object-group DM_INLINE_TCP_12
access-list Private_access_out remark Legacy rule
access-list Private_access_out extended permit tcp any interface Public object-group CCPulse
access-list Private_access_out remark Servers RDP Access
access-list Private_access_out extended permit tcp any object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_TCP_13
access-list Private_access_out remark Fire Alarm Setup in Regions.
access-list Private_access_out extended permit tcp any any object-group DM_INLINE_TCP_14
access-list Private_access_out remark Legacy rule address lookup function.
access-list Private_access_out extended permit tcp any host 195.10.106.20 eq www
access-list Private_access_out remark Legacy rule Finance order train tickets.
access-list Private_access_out extended permit tcp any object-group DM_INLINE_NETWORK_12 eq https
access-list Private_access_out remark MFD Access to Internet for charging purposes.
access-list Private_access_out extended permit tcp any 208.248.100.0 255.255.255.0 eq https

Thanks again for your help.

Mark

Re: Routing out through default Gateway

Jouni Forss — Fri, 19 Jul 2013 16:41:50 GMT

Hi,

There are so many "object network" and "object-group" configurations that I would suggest you use the "packet-tracer" command with some source IP address that IS NOT supposed to be able to access some external resource.

This should tell us exactly what rule on the ACL is hit that permits this traffic.

packet-tracer input Private tcp 12345

The only wide rule I noticed so far was this one

access-list Private_access_out extended permit tcp any any object-group DM_INLINE_TCP_14

Though I dont know which ports the DM_INLINE_TCP_14 contains.

- Jouni

Re: Routing out through default Gateway

Mark Cavendish — Sat, 20 Jul 2013 11:30:54 GMT

Thanks Jouni, that DM_INLINE_14 is just high end 17000-17049 & 18000-18049 to access the Internet. I disabled it and no difference.

I did a packet trace and I have attached the image. It doesn't seem to reference any rule in my ACL table.

Re: Routing out through default Gateway

Andrew Phirsov — Sat, 20 Jul 2013 12:45:32 GMT

Hi Mark. You have no access-list on the Private interface in the inbound direction. All the traffic from Private towards Public is allowed, as expected.

You should change this:

access-group Private_access_out out interface Private

to this:

access-group Private_access_out in interface Private

that's it.

Routing out through default Gateway

Mark Cavendish — Sat, 20 Jul 2013 15:01:21 GMT

Thanks Andrew, that was the problem and it blocked it straight away and I am now much happier! Much appreciated for your help and thanks again to Jouni also.

Mark