topic Re: ASA routing in Network Security

ASA routing

Stuart Patton — Fri, 21 Feb 2020 16:29:50 GMT

Hello,

I currently have an ASA that has a default route out to a service provider (extranet with RFC1918 addresses plus some limited RIPE addresses). The network will be changing in the future and I need to swing that default route elsewhere. The RIPE addresses are easy to handle but the RIPE addresses are not, as they are used privately and not routable on the Internet.

Is there a low-level way I can query the ASA to see what foreign destination IP's it has received a packet for, and evaluated to match the default route? Ie, is the routing lookup cached for performance and query-able somehow? Is it exposed in some kind of debugs or through ASP tables?

Alternatively, the ASAs are connected to a 6500, 3850 and Nexus 7k so any options on those platforms that may help?

Thanks,

Stuart

Re: ASA routing

Nelson Neto — Thu, 22 Nov 2018 16:29:23 GMT

I recomment you to perform a SPAN or RSPAN (if necessary) on your switches, this way you will have the storage of that traffic.
After this you can analyze to collect the information that is needed.

As you are asking for a solution in ASA, you can do the Morror in the ASA itself (although I think it's best to do it on the Switch because it has more ports available).

SPAN configuration example in ASA:

ciscoasa# conf t
ciscoasa(config)# int eth0/0
ciscoasa(config-if)# switchport monitor eth0/1

Re: ASA routing

Dennis Mink — Sat, 24 Nov 2018 11:05:58 GMT

I dont fully undertsand the issue, but ASA;s do not function the same way as routers, in the way an ASA matches the ingress interface and requires the response to egress the same interface. so you can have two default gateways if you want, with different admin distances working at the same time on two different interfaces. I am not sure if this is gonna help you but its worth looking into.

Re: ASA routing

Steven Williams — Sat, 24 Nov 2018 23:42:51 GMT

I do not understand the question nor what info you are looking for and why? Can you expand more on the scenario please?

Re: ASA routing

Stuart Patton — Mon, 26 Nov 2018 10:06:42 GMT

@Steven Williams wrote:
I do not understand the question nor what info you are looking for and why? Can you expand more on the scenario please?

As I put above. My ASA has a default route to an extranet (the service provider doesn't offer any dynamic addressing) that uses a mixture of both RFC1918 and RIPE addresses. I have a requirement to put a default route elsewhere on my network. Therefore, I want to remove the change the default route on the ASA that currently points outwards to point inwards. I can't do this without breaking the service because I don't know what RIPE addresses are used on the extranet.

So my question is, is there any way I can query the ASA to find what foreign addresses it's routed packets to that have matched the default route?

Re: ASA routing

Marvin Rhoads — Mon, 26 Nov 2018 11:36:01 GMT

You can't query the ASA to tell you every remote destination it has ever routed to.

You can tell the ASA to "show connections" put that only gives you a point in time.

You can turn up your syslog sensitivity to log every tcp connection and udp flow and gather all that up; but that approach would quickly become unwieldy.

For what it's worth, I have seen hundreds of ASA installations and never have i seen somebody put the default route on the "inside". We often put a catch all inside route for all RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16). With that in place, if you have any more specific private addresses on the outside interface they would take precedence.

Re: ASA routing

Stuart Patton — Thu, 29 Nov 2018 18:08:58 GMT

@Marvin Rhoads wrote:

You can turn up your syslog sensitivity to log every tcp connection and udp flow and gather all that up; but that approach would quickly become unwieldy.

Ok, so I've taken a change of approach and now investigating using a searchable syslog server to track the flows but have run into a different problem. Hypothetically, let's say I have a web server behind an ASA with IP address 192.168.1.1 and I allow access from anywhere to the web server. I know some but not all of the IP addresses accessing the server (eg clients in 10.1.1.0/24).

Question: If I put a specific access rule in permitting 10.1.1.0/24 to 192.168.1.1 with logging disabled followed by a less specific rule of any to 192.168.1.1 with logging enabled, would/should this approach work? As I identify clients accessing my web server, I can add them to the first ACE to prevent logging.

I'm only interested in message 302014 (teardowns) so I can see whether they are FINs, resets or SYN timeouts etc, so the config looks like this:

access-list outside_access_in extended permit tcp object-group KNOWN_SOURCES host 192.168.1.1 eq http log disable
access-list outside_access_in extended permit any host 192.168.1.1 eq http

logging enable
logging list Syslog_events message 302014
logging trap Syslog_events
logging host management a.b.c.d

If so, then something is not right because I'm still seeing events logged against the ACE's with logging disabled. Have I missed something?

Thanks,

Stuart

Re: ASA routing

Dennis Mink — Fri, 30 Nov 2018 02:46:12 GMT

I would route using 3 sets of static routes on your ASA:

1-summary of all your internal subnets (point to your core)

2-summarize RFC 1918 and point to extranet

3-default route, pointing back inward (to whatever ISP RTR you have)

Re: ASA routing

Stuart Patton — Fri, 30 Nov 2018 09:15:49 GMT

@Dennis Mink wrote:

I would route using 3 sets of static routes on your ASA:

1-summary of all your internal subnets (point to your core)

2-summarize RFC 1918 and point to extranet

3-default route, pointing back inward (to whatever ISP RTR you have)

That's my problem though...there are some RIPE ranges being used as though they are RFC1918 so if I don't work out what they are and route to the extranet, I will lose access to those services.