topic Re: Stupid Question in Network Security

Stupid Question

majedalanni — Tue, 12 Mar 2019 01:13:44 GMT

Hi, I have the senario below

192.168.1.0/24 (192.168.1.5 log server) firewall(A) --------------tunnel -------switches-------- firewall(B) 192.168.2.0/24

Can I send logs from the switches to the firewall B and then to the firewall(A) via the tunnel with some nating or port forwarding configuration in firewall(B)?

Thanks in advance

Mike

Stupid Question

malshbou — Wed, 13 Mar 2013 18:34:30 GMT

Assuming a layer 3 switch, i would :

- configure the switch to route to firewall B as a next hop to access the log server IP

- configure some policy outside nat on the ASA for the the log traffic coming from the switch to be PATed (possibly to the interface IP)

- adding the natted IP to the interesting traffic of VPN tunnel at firewall B

- ensuring that the natted IP is part of the interesting traffic at firwall A.

Hope this helps

Mashal

Re: Stupid Question

majedalanni — Wed, 13 Mar 2013 18:59:08 GMT

They are layer 2 switches,

I configured the switches to send logs to (firewall b) public ip staticly nated to a private IP on the Firewall A but that doesn't work, I know the Idea but I don't know how to configure it!!

Mike

Re: Stupid Question

jocamare — Thu, 14 Mar 2013 03:37:56 GMT

Try:

same-security-traffic permit intra-interface

Re: Stupid Question

Patrick Moubarak — Thu, 14 Mar 2013 03:49:52 GMT

you can NAT from outside (real IP of the switch) to outside (inside the VPN tunnel)

you have to allow same-security-traffic permit intra-interface

assuming your switch IP is 2.2.2.10 and you want to nat it to 192.168.2.10 (as if it was on the inside network), here's the config on firewall B:

object network INSIDE

subnet 192.168.2.0 255.255.255.0

object network VPN

subnet 192.168.1.0 255.255.255.0

object network SWITCH

host 2.2.2.10

object network SWITCH_NAT

host 192.168.2.10

nat (inside,outside) source static INSIDE INSIDE destination static VPN VPN no-proxy-arp

nat (outside,outside) source static SWITCH SWITCH_NAT destination static VPN VPN no-proxy-arp

The first is nonat for normal VPN traffic and the second is NAT for switch.

All you need on firewall A is the equivalent nonat but the networks will be reversed (its inside as source and VPN as destination)

After a ping fron inside (B) to VPN and from switch to VPN, we have the following xlates and we get a reply:

ciscoasa(config)# show xlate

2 in use, 2 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

NAT from outside:2.2.2.10 to outside:192.168.2.10

flags s idle 0:01:06 timeout 0:00:00

NAT from inside:192.168.2.0/24 to outside:192.168.2.0/24

flags sI idle 0:00:59 timeout 0:00:00

hope that helps,

Patrick

Re: Stupid Question

majedalanni — Thu, 14 Mar 2013 14:02:46 GMT

Hi,

I already enabled same-security-traffic permit intra-interface but no luck below is my configuration (it has alot of unwanted configuration because its just a test firewall)

Also Do I need to do any configuraation in the firewall A, its a UDP syslog msg so its a one direction traffic??

ASA Version 8.2(4)

hostname test-asa5520-fw

domain-name XXXXXXXXXX

names

name 192.168.18.0 ISP1VPN

name 192.168.19.0 ISP2VPN

name 172.25.3.0 firewalla_Private

name 172.25.100.5 File-Server

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 172.25.100.1 255.255.255.0

interface GigabitEthernet0/1

description ISP1

nameif ISP1

security-level 0

ip address X.x.x.6 255.255.255.0

interface GigabitEthernet0/2

description ISP2

shutdown

nameif ISP2

security-level 0

shutdown

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

shutdown

interface Management0/0

nameif wguest

security-level 90

ip address 192.168.1.1 255.255.255.0

shutdown

boot system disk0:/asa824-k8.bin

ftp mode passive

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server File-Server

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_SERVICE_1

service-object icmp echo

service-object icmp echo-reply

service-object icmp time-exceeded

service-object icmp unreachable

service-object tcp eq www

service-object tcp eq https

object-group service DM_INLINE_SERVICE_2

service-object icmp echo

service-object icmp echo-reply

service-object icmp time-exceeded

service-object icmp unreachable

service-object tcp eq www

service-object tcp eq https

object-group service DM_INLINE_SERVICE_3

service-object ip

service-object icmp echo

service-object icmp echo-reply

!!access-list XXXXX-vpn-isp1_splitTunnelAcl standard permit 172.25.18.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 ISP1VPN 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 ISP2VPN 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 firewalla_Private 255.255.255.0

! access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.25.100.0 255.255.255.0 192.168.5.0 255.255.255.240

access-list xxxxx-vpn-isp2_splitTunnelAcl standard permit 172.25.100.0 255.255.255.0

access-list ISP1_access_in remark permit ping over ISP1 network

access-list ISP1_access_in extended permit object-group DM_INLINE_SERVICE_2 any x.x.x.0 255.255.255.0

access-list ISP1_access_in remark permit ping over ISP1 network

! access-list ISP1_access_in extended permit ip 192.168.3.0 255.255.255.0 any

access-list ISP1_access_in extended permit object-group DM_INLINE_SERVICE_3 any interface ISP1

access-list ISP1_access_in remark permit ping over ISP1 network

access-list ISP1_3_cryptomap extended permit ip 172.25.100.0 255.255.255.0 Firewalla_Private 255.255.255.0

access-list wguest_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 any

access-list ISP1_1_cryptomap extended permit ip 172.25.100.0 255.255.255.0 Firewalla_Private 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list inside_mpc extended permit ip host y.y.y.y host 172.25.100.21 inactive

access-list global_mpc extended permit ip any any

access-list DefaultRAGroup_splitTunnelAcl standard permit 172.25.100.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 172.25.100.0 255.255.255.0

access-list cisco_splitTunnelAcl standard permit 172.25.100.0 255.255.255.0

pager lines 24

logging enable

logging trap notifications

logging asdm informational

logging facility 16

logging host inside 172.25.3.213

logging message 305013 level informational

logging message 733100 level informational

flow-export destination inside 172.25.3.53 9996

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu inside 1500

mtu ISP1 1500

mtu ISP2 1500

mtu wguest 1500

ip local pool cisco 192.168.5.5-192.168.5.10 mask 255.255.255.0

no failover

failover lan unit primary

failover lan interface failover+stateful GigabitEthernet0/3

failover polltime unit 1 holdtime 10

failover key *****

failover link failover+stateful GigabitEthernet0/3

failover interface ip failover+stateful 1.1.1.1 255.255.255.252 standby 1.1.1.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

nat-control

global (ISP1) 1 interface

!global (ISP2) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.25.100.0 255.255.255.0

nat (wguest) 1 access-list wguest_nat_outbound

static (inside,ISP1) udp interface syslog 172.25.3.213 syslog netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group ISP1_access_in in interface ISP1

route ISP1 0.0.0.0 0.0.0.0 x.x.x.1 250

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server vpn protocol radius

aaa-server vpn (inside) host File-Server

key *****

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 wguest

http 172.25.100.0 255.255.255.0 inside

snmp-server host inside 172.25.3.52 poll community ***** version 2c

snmp-server host inside 172.25.100.31 poll community ***** version 2c

snmp-server host inside 172.25.3.213 community ***** version 2c

snmp-server host inside 172.25.3.53 poll community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

service resetoutside

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set tans esp-aes esp-sha-hmac

crypto ipsec transform-set tans mode transport

crypto ipsec transform-set test esp-3des esp-md5-hmac

crypto ipsec transform-set test mode transport

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set test tans ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map ISP1_map 1 match address ISP1_1_cryptomap

crypto map ISP1_map 1 set pfs group1

crypto map ISP1_map 1 set peer z.z.z.130

crypto map ISP1_map 1 set transform-set ESP-3DES-SHA

!crypto map ISP1_map 3 match address ISP1_3_cryptomap

!crypto map ISP1_map 3 set pfs group1

!crypto map ISP1_map 3 set peer z.z.z.132

!crypto map ISP1_map 3 set transform-set ESP-3DES-SHA

crypto map ISP1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map ISP1_map interface ISP1

!crypto map ISP2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

!crypto map ISP2_map interface ISP2

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca server

shutdown

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

3082022b 30820194 a0030201 02020101 300d0609 2a864886 f70d0101 05050030

29312730 25060355 0403131e 74657374 2d617361 35353230 2d66772e 61676e65

742e7461 6d752e65 6475301e 170d3132 31323230 32313330 31355a17 0d313531

32323032 31333031 355a3029 31273025 06035504 03131e74 6573742d 61736135

3532302d 66772e61 676e6574 2e74616d 752e6564 7530819f 300d0609 2a864886

f70d0101 01050003 818d0030 81890281 8100ad7f 9f33a786 98cf927b d2a56eac

31501ab4 8d1f9be1 b3fb0b7b 8e6f09a0 ae267fd4 9e2b7124 72f0eeae b1d02ec0

8ecd3e23 7afdf508 193ee122 024d389b c61b5be3 a300f122 f948608d 362ce9b1

697499ba 90b89e41 162d5958 6e97beac 5d75451b e045acd0 d918daa5 14b90ec8

e46d20ab 122f3a4e d9c4b1c1 b19194d3 268b0203 010001a3 63306130 0f060355

1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603

551d2304 18301680 14230c55 9cf92cec f4e9aead 11ba6aac e077949b 6a301d06

03551d0e 04160414 230c559c f92cecf4 e9aead11 ba6aace0 77949b6a 300d0609

2a864886 f70d0101 05050003 8181002c f07ae7f8 a7740215 8f819622 f3a8e8a3

c0b9fb50 ef8d7472 606d1186 4cc686b7 9414bb35 7871c188 42c75eff 5fe05673

c2f8db46 7575f6a1 4a4f6419 a454fb3c 5069d284 34c5a7da acc8a784 0f1da7ba

f26df6b5 da08c1a9 67d09ddb c97b10ea 8641e345 01990efc 889051a6 a6d249b4

4b4d842b 5dd281a6 8ec8ef5c fa5fb1

quit

crypto isakmp enable ISP1

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp am-disable

telnet timeout 5

ssh scopy enable

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable ISP1

svc enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 172.25.100.5

vpn-tunnel-protocol l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value XXXXXXXX

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value 172.25.100.5

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1

default-domain value xxxxxxxxxxxxxx

group-policy DfltGrpPolicy attributes

dns-server value 172.25.100.5

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

default-domain value xxxxxxxxxxxxx

group-policy cisco internal

group-policy cisco attributes

dns-server value 172.25.100.5

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value cisco_splitTunnelAcl

default-domain value Xxxxxxxx

tunnel-group DefaultRAGroup general-attributes

address-pool cisco

authentication-server-group vpn

default-group-policy DefaultRAGroup_1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group z.z.z.130 type ipsec-l2l

tunnel-group z.z.z.130 ipsec-attributes

pre-shared-key *****

tunnel-group cisco type remote-access

tunnel-group cisco general-attributes

address-pool cisco

authentication-server-group vpn LOCAL

default-group-policy cisco

tunnel-group cisco ipsec-attributes

trust-point test

class-map global-class

match access-list global_mpc

class-map inside-class

match access-list inside_mpc

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all htp

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 4096

policy-map global_policy

class inspection_default

inspect dns

inspect esmtp

inspect ils

inspect ip-options

inspect ipsec-pass-thru

inspect netbios

inspect pptp

class global-class

flow-export event-type all destination 172.25.3.53

policy-map inside-policy

class inside-class

police output 50000 1500

service-policy global_policy global

service-policy inside-policy interface inside

prompt priority state hostname

Re: Stupid Question

Patrick Moubarak — Thu, 14 Mar 2013 15:22:48 GMT

on firewall A, you have to allow syslog (udp 514) from outside to the inside syslog server.

you also have to NAT the inside syslog server to a public IP (you can instead PAT the syslog UDP port if you don't have free IP addresses...)

Re: Stupid Question

majedalanni — Thu, 14 Mar 2013 15:36:25 GMT

my both private networkx via S2S tunnel are full access no restriction at all.

Re: Stupid Question

James Leinweber — Thu, 14 Mar 2013 17:17:20 GMT

In my case the IPsec tunnel is between the firewalls, so I use identity NAT and just send the switch (and other host) syslog messages over the tunnel directly to the "real" (on-link) address of the final syslog server. Unix syslog servers can do fowarding; Cisco firewalls so far as I know will not.

-- Jim Leinweber, WI State Lab of Hygiene

Re: Stupid Question

jocamare — Thu, 14 Mar 2013 23:35:38 GMT

static (inside,ISP1) udp interface syslog 172.25.3.213 syslog netmask 255.255.255.255

Is that the statement that is suppoused to take the traffic from the SWITCH and send it to the other side of the tunnel?

Well, that's incorrect, we are natting the external IP of the ASA not the SW's IP address.

it should look something like this.

static (inside,ISP1) udp <Sw's IP>syslog <an IP on the inside, not the server's IP> syslog netmask 255.255.255.255

Then, change this too:

logging host inside 172.25.3.213

Point it to the syslog server on the other side of the VPN tunnel. Also use the syslog's server IP on the SWITCH configuration to indicate where to send the traffic.

Re: Stupid Question

majedalanni — Wed, 20 Mar 2013 16:18:10 GMT

Sorry for long responds but I was so busy

That it does not work!, so how is the packet should forward to 172.25.3.213 if I natted it to IP inside (ex. 172.25.100.250) ??

switches send packets to the firewall public IP address and then I need that pack is forward to 172.25.3.213.

Thanks

Mike

Re: Stupid Question

jocamare — Wed, 20 Mar 2013 19:30:20 GMT

The idea was to statically translate the source IP of the packet, from the sw's IP to an internal one, then the traffic will be sent to the server based on the dst IP in the packet.

But you want to do it differently, try this:

static (ISP1,ISP1) udp interface syslog 172.25.3.213 syslog netmask 255.255.255.255

nat (ISP1) 1 <sw's IP> 255.255.255.255

Then this:

no logging host inside 172.25.3.213

logging host ISP1 172.25.3.213

Re: Stupid Question

majedalanni — Wed, 20 Mar 2013 20:32:11 GMT

Either I don't understand you or you don't understand me LoL

Why do I need to change logging host, and why do I need to translate switch IP.

This is UDP and I care about one direction only from the switch to log server.

Log (172.25.3.213) ---- Firewall ---- tunnel --switch A (IP x.x.x.x ) (firewall public IP z.z.z.z)----- (172.25.100.0/24) network.

I need switch A IP x.x.x.x to send a log packet to log server, so the firewall should translate the destination from the firewall public IP (z.z.z.z) to 172.25.3.213 and send it after the firewall look for routing table for log server and route it via the tunnel.

I configured the switch log server is the firewall IP (z.z.z.z) because the switch has the default gateway router not the firewall.

Thanks

Mike

Re: Stupid Question

majedalanni — Fri, 22 Mar 2013 13:53:08 GMT

I just upgraded the firewal to 8.4.5, I did a small progress, that I can send the log to the log server but on private IP after twice nat. can I do it as its public IP, is the VPN tunnel forward the traffic if it is a public IP I tried to add my public subnet to crypto protected access list but that did not work.

Re: Stupid Question

jocamare — Sat, 23 Mar 2013 00:17:46 GMT

Running 8.4, makes this easier.

We can change the source IP address to make the traffic look like it's coming from the inside, and change the destination IP address to forward to traffic that goes to the ASA's public IP to the syslog server on the other side.

network service syslog

service udp destination eq syslog

nat (outside,outside) source static destination static service syslog syslog

Using that command:

This

src:sw dst: ASA's public

becomes this:

src:int IP dst: syslog server

Re: Stupid Question

majedalanni — Mon, 25 Mar 2013 13:30:32 GMT

yes I was able to send the log to the log server but the problem I faced that all the switches using the same internal IP. I tried to send it but not changing the source ip to internal one but that's not work. So I will keep trying or if you can think something help. if that does not work my only solution is to nat each switch to an unique internal ip and send the log to the log server and Identify them by internal IP.

Re: Stupid Question

James Leinweber — Mon, 25 Mar 2013 18:49:31 GMT

If you have configured the "hostname XXX" on the switches that name should be included in the syslog messages.

-- Jim Leinweber

Re: Stupid Question

jocamare — Mon, 25 Mar 2013 19:28:39 GMT

Try it this way:

nat (outside,outside) source static destination static service syslog syslog

This will keep the source IP intact, but you have to make sure to include the addresses of the switches in the Access-lists that define the VPN's interesting traffic, like this:

access-list ISP1_3_cryptomap extended permit ip Firewalla_Private 255.255.255.0

Re: Stupid Question

majedalanni — Tue, 26 Mar 2013 17:56:57 GMT

it doesn't work looks the packet not passing the VPN

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static mypc mypc destination static interface server service syslog syslog
Additional Information:
NAT divert to egress interface outside
Untranslate firewallip/514 to logserver/514

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object syslog object mypc object server
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static sw sw destination static interface logserver service syslog syslog

Additional Information:
Static translate sw ip/1065 to firewalla ip/1065

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Stupid Question

jocamare — Tue, 26 Mar 2013 18:00:07 GMT

Can you attach the current configuration of the ASA as a reply for this post?

Also, please specify the IP address of the Sw.