topic ASA 5510 ACL issue in Network Security

ASA 5510 ACL issue

fuenteslg — Tue, 12 Mar 2019 01:39:48 GMT

Hi guys,

I'm newbie in a FW matters, I need to apply some filters between our corporate network and our industrial networks (FTP traffic and some special ports for telnet matters). For that I'm using an ASA 5510 building a etherchannel with 3 of its Fa interfaces, over the main portchannel I set the corporate network access with a higher security level and the I created a few sub interfaces with a different VLAN each one and lower security level.

Then I used some NAT configuration in order to go from the industrial network to some specific FTP server in the corporate network.

When I try to use an ACL just to permit the FTP traffic inbound over the corporate interface all traffic is dropped by the global implicit rule to deny any to any traffic.

Why can I do to enable the ftp traffic?

Regards,

G.Fuentes

Sent from Cisco Technical Support iPhone App

ASA 5510 ACL issue

Jouni Forss — Tue, 07 May 2013 13:12:30 GMT

Hi,

It would be easier to go through this seeing the configurations.

You say that you have configured a Etherchannel between the ASA and some other device. This means that you are atleast using software level 8.4(1)

This in turn means that you dont need any NAT configurations between your local interfaces UNLESS you specifically want to NAT some IP addresses or networks to something else.

With the ACLs its important to remember that when your software level is equal or above 8.3(1) that you always use the hosts real IP address in the ACL rules even if you have configured NAT for it.

- Jouni

Re: ASA 5510 ACL issue

fuenteslg — Wed, 08 May 2013 03:16:29 GMT

Hello Jouni,

I'm sorry my scenario is:

- EtherChannel is connect to a HP procurve switch
- ASA version: 9.0(2)
- ASDM version 7.1(2)

In fact about my FTP server destination I setting a network object and I used it to created the ACL rule, in that case I must to forget it and create the ACL using the real IP address? Regarding security levels, is better to set a higher security level over my corporate network interface and leave a lower security level over the industrial network interfaces or maybe set the same security level for everyone? On the other hand I need to enable the traffic between interfaces with the same security level or it isn't necessary?

Many thanks in advance for your comments.

G.FUENTES.-

Sent from Cisco Technical Support iPad App

Re: ASA 5510 ACL issue

Jouni Forss — Wed, 08 May 2013 03:25:32 GMT

Hi,

I personally would forget about the "security-level" values and just configure ACL for each interface and allow the connections which need to be allowed.

If you rely simply on the "security-level" value then you can consider it as a "Allow all or Deny all traffic" setup.

You either allow all connections from one interface to other or block all traffic from one interface to another. Meaning that higher "security-level" interfaces (or rather the networks behind them) can connect to any network located on a less secure interface of the ASA. Also all traffic from a lower "security-level" interface to a higher "security-level" interface would be blocked.

Eventually to create a good access policy you will need to configure an ACL and at the point the "security-level" value looses its meaning. As soon as the ACL is attached to the interface, it starts to control what is allowed and what is blocked. The "security-level" wont determine that anymore.

With regards to the actual ACL, you can use "object network" or "object-group" to hold the IP addresses or networks for which you want to deny or allow traffic. I just mean that in the case if you are using some NAT configurations on the ASA then you should always use the real/original IP address of the host in the ACL rules instead of the NAT IP address.

It would be easier to check the reason of the problem if we

Saw the configurations
Knew the host IP address that is connecting to the FTP server
Knew the IP address of the FTP server

- Jouni

Re: ASA 5510 ACL issue

fuenteslg — Wed, 08 May 2013 03:45:13 GMT

Hi,

Just for clarify about security level, I can leave i.e. 0 for all interfaces and set the security trough ACL, I'm corrected? Well in that scenario I did the test I mean, all interfaces with the same security level, ACL using the real IP address trough network objects and always the package is dropped by the implicit ACL because the ACL that I did doesn't match.

I created de ACL rule over the my corporate network interface on in access permitting the traffic from one of my industrial network to my FTP server and the result is the same that I described over.

what I'm missing?

Sent from Cisco Technical Support iPad App

ASA 5510 ACL issue

Jouni Forss — Wed, 08 May 2013 03:53:07 GMT

Hi,

There are a couple of special settings on the ASA related to the "security-level" that always apply.

If you have traffic between interfaces with equal "security-level" you will need

same-security-traffic permit inter-interface

If you have traffic that is entering an ASA interface and leaves through the same interface then you need

same-security-traffic permit intra-interface

Though the latter one is usually used with VPN connections that need to enter the ASA through "outside" and leave to the Internet (or another L2L VPN remote site) through the "outside"

I personally configure LAN interfaces usually with "security-level 100" and WAN interfaces with "security-level 0".

- Jouni

Re: ASA 5510 ACL issue

fuenteslg — Wed, 08 May 2013 04:07:43 GMT

Hi,

I got it, in my case all interfaces will be like a LAN, the ASA will be used to protect our corporate network because the industrial one doesn't have any protection in terms of antivirus, OS patch, etc. for that reason I need only permit the FTP and some IP ports from industrial to corporate nothing else. On this scenario I need to apply some ACL over the industrial interface about outbound traffic?

I'm sorry if my questions are too basic.

Regards,

G.FUENTES.-

Sent from Cisco Technical Support iPad App

ASA 5510 ACL issue

Jouni Forss — Wed, 08 May 2013 04:53:48 GMT

Well,

We have for example had some simple firewall configurations between Automation and Office networks.

There might be an ASA with no NAT configurations at all and we only allow certain traffic in and certain traffic out.

Basically your ACL can look like this with just the FTP

access-list INDUSTRIAL-IN remark Allow FTP to Corporate Network

access-list INDUSTRIAL-IN permit tcp host host eq ftp

access-list INDUSTRIAL-IN remark Deny All other traffic

access-list INDUSTRIAL-IN deny ip any

If you wanted to add DNS to some internal or external server then it could be

access-list INDUSTRIAL-IN remark Allow FTP and DNS to Corporate Network

access-list INDUSTRIAL-IN permit tcp host host eq ftp

access-list INDUSTRIAL-IN permit udp host host eq domain

access-list INDUSTRIAL-IN remark Deny All other traffic

access-list INDUSTRIAL-IN deny ip any

In the same way you could open services between hosts or even networks if you needed.

You could also need to add the ACL to the interface with the command

access-group INDUSTRIAL-IN in interface industrial

Ofcourse the names of ACL and interface might be something else

But to be honest as I dont know your current NAT and ACL configurations I cant really help you if you still have problems with the FTP connection through the firewall.

- Jouni

ASA 5510 ACL issue

fuenteslg — Fri, 10 May 2013 01:02:45 GMT

Hi Jouni,

I followed your advice but it doesn't works, please see below my configuration:

ASA Version 9.0(2)

hostname ASA-CO0011-VASCH-01

enable password 792XWCseaD5YPLGJ encrypted

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session permit tcp any4 any4

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

channel-group 20 mode active

no nameif

no security-level

no ip address

interface Ethernet0/1

channel-group 20 mode active

no nameif

no security-level

no ip address

interface Ethernet0/2

channel-group 20 mode active

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Port-channel20

nameif SG_Net

security-level 0

ip address 10.200.5.19 255.255.255.0

interface Port-channel20.40

description VLAN for YK DCS

vlan 40

nameif YOK_VLAN

security-level 100

ip address 192.168.30.1 255.255.255.0

interface Port-channel20.50

description VLAN for BT Line

vlan 50

nameif BOT_VLAN

security-level 100

ip address 192.168.40.1 255.255.255.192

interface Port-channel20.60

vlan 60

nameif COG_VLAN

security-level 0

ip address 192.168.50.1 255.255.255.192

boot system disk0:/asa902-k8.bin

ftp mode passive

clock timezone COST -5

object service SMQF_YK_Connect

service tcp destination range 10300 10310

object network obj-192.168.30.30

host 192.168.30.30

object network obj-192.168.30.2

host 192.168.30.2

object network obj-192.168.30.3

host 192.168.30.3

object network SG_Antares_SMQF_Server

host 10.200.5.22

description Antares SMQF Server

object network YK_FTP

host 192.168.30.30

object network obj-192.168.40.2

host 192.168.40.2

object network SG_FIS_Server

host 10.200.5.20

description FIS Server for labeling

object service ANTARES_CG_Connnect

service tcp destination range 20301 20302

object network obj-192.168.50.3

host 192.168.50.3

object-group icmp-type ping-service

description allow ping

icmp-object echo

object-group service grp_SMQF tcp

port-object range 10300 10310

object-group service grp_ANTARES_CG tcp

port-object range 20301 20302

access-list ACL_SMQF extended permit object SMQF_YK_Connect 192.168.30.0 255.255.255.0 object SG_Antares_SMQ

access-list ACL_SMQF extended permit tcp 192.168.30.0 255.255.255.0 object SG_Antares_SMQF_Server eq ftp

access-list ACL_FIS extended permit tcp 192.168.40.0 255.255.255.192 object SG_FIS_Server eq ftp

access-list ACL_COGX extended permit tcp 192.168.50.0 255.255.255.192 object SG_Antares_SMQF_Server object

access-list ACL_COGX-IN remark Allow TCP Ports 20301-20302 to SGNet

access-list ACL_COGX-IN extended permit tcp host 192.168.50.2 host 10.200.5.22 eq 20301

access-list ACL_COGX-IN extended permit tcp host 192.168.50.2 host 10.200.5.22 eq 20302

access-list ACL_COGX-IN extended permit tcp host 192.168.50.3 host 10.200.5.22 eq ftp

access-list ACL_COGX-IN remark Deny All other trafic

access-list ACL_COGX-IN extended deny ip 192.168.50.0 255.255.255.192 any

access-list ACL_ANTARES extended permit ip 192.168.40.0 255.255.255.192 object SG_Antares_SMQF_Server

pager lines 24

logging enable

logging asdm debugging

mtu management 1500

mtu SG_Net 1500

mtu YOK_VLAN 1500

mtu BOT_VLAN 1500

mtu COG_VLAN 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network obj-192.168.30.30

nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net

object network obj-192.168.30.2

nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net

object network obj-192.168.30.3

nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net

object network obj-192.168.40.2

nat (BOT_VLAN,SG_Net) static 10.200.5.226 net-to-net

access-group ACL_COGX-IN in interface COG_VLAN

route SG_Net 0.0.0.0 0.0.0.0 10.200.5.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.201.1.39 source SG_Net prefer

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e64886d2e1d1e3449721b3aa0944bfd0

: end ASA Version 9.0(2)
!
hostname ASA-CO0011-VASCH-01
enable password 792XWCseaD5YPLGJ encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/1
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/2
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel20 (Corporate)
nameif SG_Net
security-level 0
ip address 10.200.5.19 255.255.255.0
!
interface Port-channel20.40
description VLAN for YK DCS
vlan 40
nameif YOK_VLAN
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface Port-channel20.50
description VLAN for BT Line
vlan 50
nameif BOT_VLAN
security-level 100
ip address 192.168.40.1 255.255.255.192
!
interface Port-channel20.60 (Industrial)
vlan 60
nameif COG_VLAN
security-level 0
ip address 192.168.50.1 255.255.255.192
!
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone COST -5
object service SMQF_YK_Connect
service tcp destination range 10300 10310
object network obj-192.168.30.30
host 192.168.30.30
object network obj-192.168.30.2
host 192.168.30.2
object network obj-192.168.30.3
host 192.168.30.3
object network SG_Antares_SMQF_Server
host 10.200.5.22
description Antares SMQF Server
object network YK_FTP
host 192.168.30.30
object network obj-192.168.40.2
host 192.168.40.2
object network SG_FIS_Server
host 10.200.5.20
description FIS Server for labeling
object service ANTARES_CG_Connnect
service tcp destination range 20301 20302
object network obj-192.168.50.3
host 192.168.50.3
object-group icmp-type ping-service
description allow ping
icmp-object echo
object-group service grp_SMQF tcp
port-object range 10300 10310
object-group service grp_ANTARES_CG tcp
port-object range 20301 20302
access-list ACL_SMQF extended permit object SMQF_YK_Connect 192.168.30.0 255.255.255.0 object SG_Antares_SMQ
access-list ACL_SMQF extended permit tcp 192.168.30.0 255.255.255.0 object SG_Antares_SMQF_Server eq ftp
access-list ACL_FIS extended permit tcp 192.168.40.0 255.255.255.192 object SG_FIS_Server eq ftp
access-list ACL_COGX extended permit tcp 192.168.50.0 255.255.255.192 object SG_Antares_SMQF_Server object
access-list ACL_COGX-IN remark Allow TCP Ports 20301-20302 and ftp to SGNet
access-list ACL_COGX-IN extended permit tcp host 192.168.50.3 host 10.200.5.22 eq 20301
access-list ACL_COGX-IN extended permit tcp host 192.168.50.3 host 10.200.5.22 eq 20302
access-list ACL_COGX-IN extended permit tcp host 192.168.50.3 host 10.200.5.22 eq ftp
access-list ACL_COGX-IN remark Deny All other trafic
access-list ACL_COGX-IN extended deny ip 192.168.50.0 255.255.255.192 any
access-list ACL_ANTARES extended permit ip 192.168.40.0 255.255.255.192 object SG_Antares_SMQF_Server
pager lines 24
logging enable
logging asdm debugging
mtu management 1500
mtu SG_Net 1500
mtu YOK_VLAN 1500
mtu BOT_VLAN 1500
mtu COG_VLAN 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.30.30
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.30.2
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.30.3
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.40.2
nat (BOT_VLAN,SG_Net) static 10.200.5.226 net-to-net
access-group ACL_COGX-IN in interface COG_VLAN
route SG_Net 0.0.0.0 0.0.0.0 10.200.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.201.1.39 source SG_Net prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e64886d2e1d1e3449721b3aa0944bfd0
: end

when I check the log viewer follow the IP source the message is:

Syslog ID: 106001

Description: Inbound TCP Connection denied from 192.168.50.2/1065 to 10.200.5.22/21 flags SYN on interface COG_VLAN

I'll apreciate your comments about it.

Kind Regards,

G.FUENTES.-

ASA 5510 ACL issue

Jouni Forss — Fri, 10 May 2013 01:10:19 GMT

Hi,

Your log message refers to the source IP address of 192.168.50.2.

Though it seems you have allowed traffic only for the source IP address 192.168.50.3

- Jouni

Re: ASA 5510 ACL issue

Jouni Forss — Fri, 10 May 2013 01:15:17 GMT

Actually,

It seems your source and destination interface are of the same "security-level 0"

Can you add the following configuration

same-security-traffic permit inter-interface

Or you can change the "security-level" value of the source interface (for example) to something else then "0" and it should probably work.

- Jouni

Re: ASA 5510 ACL issue

fuenteslg — Fri, 10 May 2013 01:23:36 GMT

Sorry, it was my typing mistake, the address is ending in .3

Sent from Cisco Technical Support iPad App

Re: ASA 5510 ACL issue

fuenteslg — Fri, 10 May 2013 01:25:10 GMT

In fact I tried with that configuration and nothing happen. Same result. I don't know if is necessary put some static route, maybe.

Sent from Cisco Technical Support iPad App

Re: ASA 5510 ACL issue

Jouni Forss — Fri, 10 May 2013 01:29:40 GMT

Hi,

Can you take the output of this command

packet-tracer input GOC_VLAN tcp 192.168.50.3 12345 10.200.5.22 21

This would simulate the packet coming from the specified source interface with the specified protocol with the mentioned source/destination IP addresses and ports. Its a great tool to find out what the firewall WOULD do to a connections and IS doing at the moment.

With regards to your current setup it seems that there is no NAT configured for the source host 192.168.50.3

This would mean that the FTP server should have a route towards the network 192.168.50.0/24 that in the end is found through the interface IP address of the ASA interface named SG_Net

Or alternatively you could use Dynamic PAT or Static NAT to translate it to the destination interfaces connected networks IP address (if that is a network that the FTP server has a route for)

- Jouni

Re: ASA 5510 ACL issue

fuenteslg — Fri, 10 May 2013 01:50:15 GMT

I'll check it, for now the access-group is well applied over the industrial interface or bust be applied over corporate interface?

Sent from Cisco Technical Support iPad App

ASA 5510 ACL issue

Jouni Forss — Fri, 10 May 2013 02:20:31 GMT

Hi,

The ACL is now attached to the interface GOC_VLAN in the direction "in" so it should we controlling traffic incoming from network 192.168.50.0/26 to other networks.

But coming back to the "security-level"

You will have to have a either "same-security-traffic permit inter-interface" command or change the "security-level" so that they are not equal to eachother.

Can you copy/paste the output of the above "packet-tracer" command here? It should tell us if the ASA configurations are ok

Also one configuration that hits my eye is the fact that SG_Net interface is configured directly on the Port-channel20 interface. I would configure it as a own VlanID as Sub Interface of Po20.

- Jouni