topic ASA 5505 Transparent Firewall with a Web server Question in Network Security

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Fri, 21 Feb 2020 12:42:57 GMT

I have the need to replace my Sonicwall firewall and I got an ASA 5505. However, I need to have a transparent firewall, no Natting and Web server will have a public IP address with relevant ports kept open.

The simple illustration is Internet ---------------->Transparent Firewall--------------------------------Web Server(With public IP Address)

1. There should be no natting

2. The web server must have a public IP and be accessible from the internet.

3. Ports can be blocked or re-opened.

Please let me know if its possible to have this arrangement.

If yes, can I get a command line sequence that enables this to work.

My version is

Cisco Adaptive Security Appliance Software Version 8.4(4)5

Device Manager Version 6.4(9)

Thanks in advance

Message was edited by: Don Chuks

ASA 5505 Transparent Firewall with a Web server Question

Karsten Iwen — Thu, 23 Aug 2012 08:22:37 GMT

Yes that can be done with the ASA. The procedere is specified in the config-guide. First go through the config of transparent firewall:

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/mode_fw.html

Then configure your access-control:

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_rules.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Thu, 23 Aug 2012 14:26:09 GMT

The URL's are not working for me. Says they either broken or that I do not have access

Can I get the text on here?

ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Thu, 23 Aug 2012 15:01:29 GMT

This is a minimal configuration for your need (is running on ASA 5520).

!
firewall transparent
!
interface GigabitEthernet0
description --- Connected to the Internet ---
nameif outside
bridge-group 1
security-level 0
!
!
interface GigabitEthernet3
description --- Connected to LAN ---
nameif inside
bridge-group 1
security-level 100
!
!

interface BVI1

description --- For Management only ---
ip address 10.1.10.1 255.255.255.0
!

!
object network WWW-SERVER-OBJ
description --- The WEB server ----
host 123.123.123.123

!
!
object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp
description --- Serices published on WEB server ----
port-object eq www
port-object eq https
!
!
access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ
!
!
access-group OUTSIDE-IN-ACL in interface outside
!

Samuel Petrescu

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Thu, 23 Aug 2012 17:34:39 GMT

when I apply this config, system remains inaccessible from outside.The system does not get to the internet as well

below is my sho run

ciscoasa(config)# sho run

: Saved

ASA Version 8.4(4)5

firewall transparent

hostname ciscoasa

enable password msi14F/SlH4ZLjHH encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

switchport access vlan 2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

interface Vlan2

nameif outside

bridge-group 1

security-level 0

interface BVI1

description --- For Management only ---

ip address x.x.x.x 255.255.255.252

ftp mode passive

object network WWW-SERVER-OBJ

host y.y.y.y

description --- The WEB server ----

object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp

description --- Serices published on WEB server ----

port-object eq www

port-object eq https

access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group OUTSIDE-IN-ACL in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

Cryptochecksum:fdda72841b7b2d386dccbed6b996d2af

: end

ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Thu, 23 Aug 2012 17:41:35 GMT

You forgot this:

interface Vlan1

nameif inside

security-level 100

bridge-group 1

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Thu, 23 Aug 2012 17:52:36 GMT

Thanks

When I do that, there is a big change but I still cannot access http/https

Also when I ping the station, no luck

I also tried RDP but no luck

Thanks indeed for all the help

Re: ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Thu, 23 Aug 2012 18:09:56 GMT

Also, you don't have any interface in vlan1

If interface Ethernet0/2 wants to be inside interface (where server is connected) this should belongs to vlan1. (not valn 2)

Run:

interface e0/2

switchport access vlan 1

Connect the internet cable to Ethernet0/0

Also by default ICMP will not pass through, you have to allow it.

Also in this configuration only http and https is allowed, if you want to rdp in, you have to allow it.

Thank you

Samuel Petrescu

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Thu, 23 Aug 2012 18:17:48 GMT

Thanks.

I made the change. System is plugged into Et0/1 and the internet cable is plugged into Et0/0

When I show Et0/0 I get and show vlan is as below

ciscoasa(config)# show int et0/1

Interface Ethernet0/1 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is unsupported

Available but not configured via nameif

MAC address 5475.d0fc.ad1b, MTU not set

IP address unassigned

44852 packets input, 4149552 bytes, 0 no buffer

Received 36135 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 pause input, 0 resume input

0 L2 decode drops

0 switch ingress policy drops

6939 packets output, 1563776 bytes, 0 underruns

0 pause output, 0 resume output

0 output errors, 0 collisions, 0 interface resets

0 late collisions, 0 deferred

0 rate limit drops

0 switch egress policy drops

0 input reset drops, 0 output reset drops

ciscoasa(config)# show switch vlan

VLAN Name Status Ports

---- -------------------------------- --------- -----------------------------

1 inside up Et0/1, Et0/2, Et0/3, Et0/4

Et0/5, Et0/6, Et0/7

2 outside up Et0/0

ciscoasa(config)#

ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Thu, 23 Aug 2012 18:53:48 GMT

Now looks good.

To allow icmp from outside (the easy way):

access-list OUTSIDE-IN-ACL extended permit icmp any any

fixup protocol icmp

Thnak you

Sam

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Thu, 23 Aug 2012 19:32:10 GMT

Thanks Samuel.

However, I am wondering if this solution is really possible.

I had spoken to many networking people around and they say its only sonicwall that supports that mode.

Strangely, its been more than a week and the nearest to it is your solution above.We had tried a paid approach but most the people simply did not get back because they say its only possible with NAT.

Http/https traffic is still not passing not sure why.

Is there a way to just allow everything without bypassing the firewall?

That way, we can get to know why its not allowing http/https traffic

Thanks indeed for all the help, its given us a ray of hope

ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Thu, 23 Aug 2012 20:16:37 GMT

From preview e-mails I understood the server has the public IP, and wanted to be in this way.
The solution for this, is transparent firewall, but this will not do NAT and you don’t need NAT in this situation.

To allow everything:
access-list OUTSIDE-IN-ACL extended permit ip any any
access-group OUTSIDE-IN-ACL in interface outside

I don’t know why you want server to have the public IP (maybe is a reason).

The professional solution is to use the firewall in routed mode, and the server to have a private IP.
Instead of server having the public IP, the firewall will have that public IP, and when a http request is made to that public IP, the firewall will forward traffic inside to the server.
In this situation NAT is needed, and will work.

Or maybe server doesn't really have the public Ip?

Thank you
Sam

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Thu, 23 Aug 2012 20:26:22 GMT

Thanks Samuel

You are correct

We have an application that can only work with a public IP address

It does not support NAT

So I deally what we need is where this firewall can protect on the webserver

We open the ports that we need including http and https

If there is a way to make the server see the internet in this configuration, that will do it

Even when we allow everything it still wont allow http traffic.

I strngly think your solution is very close to it.

Unfortunately, I cant seem to be able to open the URL posted in the first reply.

Thanks

Yes that can be done with the ASA. The procedere is specified in the config-guide. First go through the config of transparent firewall:

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/mode_fw.html

Then configure your access-control:

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_rules.html

Re: ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Thu, 23 Aug 2012 23:01:10 GMT

The error is: "Management interface has to have IP from the same subclass as your public ip on the server"

This, even if you don't use it for management.

interface BVI1

description --- For Management only ---
ip address "public ip" subnetmask

I built a test environment to verify, and without this management ip from correct subnet, arp protocol will fail.

ciscoasa(config)# debug arp

debug arp enabled at level 1

arp-in: Arp packet received from 173.x.x.x which is in different subnet than the connected interface 0.0.0.0/255.255.255.255

Samuel Petrescu

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Fri, 24 Aug 2012 05:07:21 GMT

Thanks Samuel.

It works. Strangely I did everything afresh but it allowed http and https, and rdp works. This I am not sure why RDP works.

Sorry, I keep asking. I intend to open some udp ports as well UDP/TCP 1812,1813, 1845,1846,3799, 10100,10200, 10300, 20235

Will let you know how that goes though I am yet to figure out how to block UDP ports.

See access list and see if you can see why RDP works

ciscoasa(config)# show access-list OUTSIDE-IN-ACL

access-list OUTSIDE-IN-ACL; 3 elements; name hash: 0x585e19e6

access-list OUTSIDE-IN-ACL line 1 extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ (hitcnt=16) 0x28efdb7f

access-list OUTSIDE-IN-ACL line 1 extended permit tcp any host xxx.yy.zzz.mmm eq www (hitcnt=2) 0x6a290a4e

access-list OUTSIDE-IN-ACL line 1 extended permit tcp any host xxx.yy.zzz.mmm eq https (hitcnt=14) 0x41cdf538

access-list OUTSIDE-IN-ACL line 2 extended permit ip any any (hitcnt=186) 0x74278021

Re: ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Fri, 24 Aug 2012 11:02:02 GMT

Is allowed everything because of last line "access-list OUTSIDE-IN-ACL line 2 extended permit ip any any"

You have to take it out.

This is how should look:

object-group service WWW-SERVER-SERVICES-TCP-OBJ tcp

description --- Serices TCP published on WEB server ----

port-object eq 80

port-object eq 443

port-object eq 1812

port-object eq 1813

port-object eq 1845

port-object eq 1846

port-object eq 3799

port-object eq 10100

port-object eq 10200

port-object eq 10300

port-object eq 20235

object-group service WWW-SERVER-SERVICES-UDP-OBJ udp

description --- Serices UDP published on WEB server ----

port-object eq 1812

port-object eq 1813

port-object eq 1845

port-object eq 1846

port-object eq 3799

port-object eq 10100

port-object eq 10200

port-object eq 10300

port-object eq 20235

access-list OUTSIDE-IN-ACL extended permit tcp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-TCP-OBJ

access-list OUTSIDE-IN-ACL extended permit udp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-UDP-OBJ

You can customize access based on this template

Samuel Petrescu

Re: ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Fri, 24 Aug 2012 11:13:17 GMT

This will allow only specified ports TCP/UDP, everything else will be blocked, because an implicit rule at the end of the ACL "deny ip any any"

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Sat, 25 Aug 2012 14:21:56 GMT

Thanks a great deal Samuel.

It works great now. If only you know how many people that said the solution is no possible, you will be surprised.

Thanks once again

To allow icmp from outside (the easy way):

access-list OUTSIDE-IN-ACL extended permit icmp any any

fixup protocol icmp

Do you have the elaborate way of doing it? It helps the learning process I think.

Re: ASA 5505 Transparent Firewall with a Web server Question

Samuel Petrescu — Sat, 25 Aug 2012 17:39:23 GMT

By default icmp traffic is not inspected by asa, and will not be allowed to pass through.
“fixup protocol icmp” is old way to tell asa to inspect icmp, but is still working with newer versions of IOS.

access-list OUTSIDE-IN-ACL extended permit icmp any any will allow all types of icmp from anywhere to anywhere, but from security standpoint is not recommended.

A better way to allow ICMP (ping) from outside is:

object-group icmp-type WWW-SERVER-SERVICES-ICMP-OBJ
icmp-object echo

        icmp-object echo-reply
        icmp-object unreachable
        icmp-object time-exceeded
        icmp-object source-quench

access-list OUTSIDE-IN-ACL extended permit icmp any object WWW-SERVER-OBJ object-group WWW-SERVER-SERVICES-ICMP-OBJ

Samuel Petrescu

ASA 5505 Transparent Firewall with a Web server Question

don_chuks — Wed, 29 Aug 2012 15:14:37 GMT

Thank you!

So is there really away to say allow host ip address on port 3306?

i.e have a port open only to a particular host and block it for the rest?