topic Implisit Rule ASA 5505 in Network Security

Implisit Rule ASA 5505

aeronav01 — Fri, 21 Feb 2020 13:04:39 GMT

HI, i just got an ASA 5505 and iam trying to get to the internet and i cant , i traced the problem to an implicit rule that can't be deleted or changes that denys outside ip any>any. how can i solve this ?

Thanks

Re: Implisit Rule ASA 5505

Karsten Iwen — Tue, 31 Dec 2013 07:34:58 GMT

Each ACL that is bound to an interface has an invisible "deny ip any any" statement (there are exceptions to that with global ACLs on the ASA). That is the implicit deny. You can't remove that entry but you can force your ASA to never reach that Access-List-Entry. Just add an "permit ip any any" as the last line to your ACL.

Sent from Cisco Technical Support iPad App

Re: Implisit Rule ASA 5505

aeronav01 — Wed, 01 Jan 2014 20:43:05 GMT

I already made an ACL to permit any>any ip now i still can't get to the router's interface (the ASA exteral Ethernet is connected to the router's internal ethernet port) i already did static nat on the ASA'S internal network which is (192.168.1.0/24) to be translated into the external ASA's entherner (which is 192.168.0.0/24) which is also the router's internal network.

Do you think that imight be missing something else?

Oh and i alreday added static route to any netwotk to the router IP address as a default gateway for the ASA to get to the internet.

Thank you.

Implisit Rule ASA 5505

Jon Marshall — Thu, 02 Jan 2014 13:01:08 GMT

Perhaps you could post your config minus any public IP info ?

Jon

Implisit Rule ASA 5505

aeronav01 — Fri, 03 Jan 2014 09:34:43 GMT

hostname ciscoasa

domain-name nav.info

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.1 router description router

name 192.168.1.10 WebServer-Internal

name 192.168.0.0 Outside-network

name 192.168.0.10 WebServer-External

name 192.168.1.6 Aeroresearcher-IN

name 192.168.0.230 Aeroresearcher-OUT

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

switchport access vlan 5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.6 255.255.255.0

interface Vlan5

no nameif

security-level 50

ip address dhcp

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.4.4.2

domain-name nav.info

object-group service DM_INLINE_SERVICE_1

service-object tcp-udp

service-object ip

service-object tcp eq www

service-object tcp eq https

service-object udp eq snmp

service-object udp eq snmptrap

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object ip

protocol-object icmp

protocol-object icmp6

access-list testvpn2_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a

ny interface outside

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3

any any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a

ny any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a

ny any

access-list inside_authentication extended deny tcp any any

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_5

any any

access-list outside_access_out extended permit ip any any

access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_2

any any

access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.25

5.224

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19

2.168.1.208 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn 192.168.1.100-192.168.1.200 mask 255.255.255.0

ip local pool vpn2 192.168.1.205-192.168.1.210 mask 255.255.255.255

ip local pool vpn3 192.168.1.215-192.168.1.220 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 192.168.0.8-192.168.0.15 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) Outside-network 192.168.1.0 netmask 255.255.255.0

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 router 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication match inside_authentication inside LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128

-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy testvpn2 internal

group-policy testvpn2 attributes

vpn-tunnel-protocol IPSec

default-domain value nav.info

group-policy testvpn2_1 internal

group-policy testvpn2_1 attributes

dns-server value 4.4.4.2

vpn-tunnel-protocol IPSec

Implisit Rule ASA 5505

Karsten Iwen — Fri, 03 Jan 2014 11:10:01 GMT

Your ACL-implemetation (and much of the complete config) is a real mess (sorry to say that).

Please specify what you want to achieve and then let's work out how the config should be modified.

How should the outbound traffic be controlled?
Do you need inbound traffic?
Where are your VPN-clients?
which version are you running?
Do you really have private addresses on the outside interface? If yes, do you have control over the router in front of your ASA?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Implisit Rule ASA 5505

aeronav01 — Fri, 03 Jan 2014 18:43:03 GMT

Thanks Karsten,

I need inbound traffic to be able to go back to the internet and browse HTTP,HTTPS i have a VPN setup and iam using VPN cleint software, everything works fine in the vpn but when i disable split tunneling(which is what i want to do) the vpn clients can't go to the internet (naturally because my internal network can't) , the vpn pool i set up is in the same internal network ip range.

When i first got the ASA i did a change in the CLI which i learned which is to allow http and https to my web server by creating an access list specifying the IP of my server, the only computer that can go to the internet from the internal network is my webserver computer.I am not sure which version you are refering to here, the ASDM version is (6.4).

The answers to your number 5 is YES,YES.

Thanks

Implisit Rule ASA 5505

Karsten Iwen — Fri, 03 Jan 2014 19:16:01 GMT

I am not sure which version you are refering to here, the ASDM version is (6.4).

I'm refering to the ASA-version. You see the version with "show version" at the top of the output.

The answers to your number 5 is YES,YES.

is it a DSL-router (PPPoE?) that you can reconfigure to bridge-mode? With that, the public IP that is now on that router would be moved to the ASA. With that you have more control over the needed functions like NAT. The rest of the config is dependant on that so we have to figure that out first.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Implisit Rule ASA 5505

aeronav01 — Fri, 03 Jan 2014 21:30:25 GMT

This is the router which is actally a modem and a router and an access point (3 in 1): http://www.motorola.com/us/SBG6580-SURFboard%C2%AE-eXtreme-Wireless-Cable-Modem/70902.html but if there is bridging in the router (which i dobt it) then what is the static route on the ASA going to be ? (Now the static route on the asa is >OUTSIDE INTERFACE>NETWORK ANY>GATEWAY> (the router's internal IP addess).

Re: Implisit Rule ASA 5505

Karsten Iwen — Sat, 04 Jan 2014 11:27:19 GMT

Based on your needs I would try to reduce the complexity of the config:

1) NAT

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

As you are doing NAT on the cable-router, you can remove NAT completely from the ASA.

For that the cable router needs a route for all internally used networks pointing to your ASA. You can configure a static route on the Motorola-router for 192.168.0.0 255.255.0.0 pointing to your ASA-address 192.168.0.6. That one is really important. Without that route not outbound traffic will work.

The router also needs to send all traffic that arrives on the external interface to the ASA. This function is often named "exposed host" or "DMZ-host". Thats for you incoming traffic like VPN.

On the ASA disable all NAT:

clear configure nat

clear configure global

clear configure static

clear configure access-list inside_nat0_outbound

no nat-control

2) Access-Control

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_overview.html

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_nw.html

If you don't want to control outgoing traffic you can remove all access-control in outboud direction. The Access-control in inbound direction can be skipped if you don't have internal hosts that sould be reachable from outside:

no access-group inside_access_in in interface inside

no access-group inside_access_out out interface inside

no access-group outside_access_in in interface outside

no access-group outside_access_out out interface outside

clear configure access-list outside_access_in

clear configure access-list inside_access_out

clear configure access-list outside_access_in

clear configure access-list outside_access_out

no object-group service DM_INLINE_SERVICE_1

no object-group protocol DM_INLINE_PROTOCOL_1

no object-group protocol DM_INLINE_PROTOCOL_2

no object-group protocol DM_INLINE_PROTOCOL_3

no object-group protocol DM_INLINE_PROTOCOL_4

no object-group protocol DM_INLINE_PROTOCOL_5

3) For hairpinning vpn-traffic you have to allow that trafic enters and leaves the same interface:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1061479

same-security-traffic permit intra-interface

4) For firewalling there are the typical inspections missing:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

inspect http

service-policy global_policy global

5) Your VPN-config allows many insecure and unneeded algorithms and it's unlikely that you need VPN on the inside interface:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ike.html

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

no crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

no crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

no crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

no crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

no crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

no crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5

no crypto map inside_map interface inside

no crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

no crypto isakmp enable inside

It's likely that there is still something missing. But that could be the starting-point for your further config.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: Implisit Rule ASA 5505

aeronav01 — Mon, 06 Jan 2014 06:13:31 GMT

Thank you much, there is one thing though, the router doesn't have any NAT options so, what if i wanna do it with the current config. i mean with the addition of your suggested config. what is the final config would look like? oh and there is something else, when i do a packet trace to the router's int. (192.168.0.1) or any other host on the internet, sometimes it says allowed but i can't actually get to it, and sometimes it says Denied or dropped and when i trace the ACL that drops it, i see that it is one of the implisit access lists!! it is a little confusing..i mean it is not really black and white thing.

Thanks