ASA5505 firewall rule not blocking

wwilliam · ‎04-02-2013

I'm trying to troubleshoot an ASA5505.

The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).

However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.

I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).

Can anyone tell me why such a deny any any rule would not be taking effect? I'm sure I'm missing something simple, but whatever it is is escaping me.

-----------------

show ver

Cisco Adaptive Security Appliance Software Version 9.0(2)

Device Manager Version 7.1(2)

Compiled on Thu 21-Feb-13 13:10 by builders

System image file is "disk0:/asa902-k8.bin"

Config file at boot was "startup-config"

show switch vlan

VLAN Name Status Ports

---- -------------------------------- --------- -----------------------------

1 inside up Et0/1, Et0/2, Et0/3, Et0/4

Et0/6, Et0/7

2 outside up Et0/0

3 dmz up Et0/5

interface Ethernet0/0

description outside

switchport access vlan 2

!

interface Ethernet0/1

description inside

interface Ethernet0/5

switchport access vlan 3

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description DMZ

nameif dmz

security-level 50

ip address 10.1.1.1 255.255.255.0

object network mc_server

host 63.223.117.170

object-group service Mumble tcp-udp

description Mumble VOIP protocol

port-object eq 64738

access-list outside_access_in extended deny ip any any

access-list outside_access_in extended permit icmp any4 any4 echo-reply

access-list outside_access_in extended permit tcp any4 object webserver_smtp eq smtp

access-list outside_access_in extended permit tcp any4 object webserver_smtp object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any4 object webserver_ssh_host eq ssh

access-list outside_access_in extended permit object xbox_udp_88 any4 object xbox_port_88

access-list outside_access_in extended permit object xbox_tcp_3074 any4 object xbox_tcp_port_3074

access-list outside_access_in extended permit object xbox_udp_3074 any4 object xbox_udp_port_3074

access-list outside_access_in extended permit tcp any4 object Tower_SSH eq ssh

access-list outside_access_in extended permit ip any4 object xbox

access-list outside_access_in extended permit ip object mc_server any

access-list outside_access_in extended deny object-group TCPUDP any any4 object-group Mumble

nat (dmz,outside) after-auto source dynamic obj_any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz in interface dmz

Julio Carvajal · ‎04-02-2013

Hello Wade,

So are you telling that traffic is being accepted?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎04-02-2013

Hi,

If the Mumble is anything like Teamspeak I would imagine that the hosts application connects to a remote server and there isnt actually connections taken from "outside" to "inside".

Have you tried blocking this in the "inside" ACL so that the connections are never allowed to form through the firewall?

If the firewall allows the user to form the connection through once then the return traffic is allowed automatically (for that same connection that is) and the "outside" ACL will not be applied to that traffic as it has already been allowed by the "inside" ACL.

- Jouni

wwilliam · ‎04-03-2013

JouniForss wrote:
Have you tried blocking this in the "inside" ACL so that the connections are never allowed to form through the firewall?
If the firewall allows the user to form the connection through once then the return traffic is allowed automatically (for that same connection that is) and the "outside" ACL will not be applied to that traffic as it has already been allowed by the "inside" ACL.
- Jouni

Agreed. I do have

access-list inside_access_in remark Allow mumble traffic only to our own server

access-list inside_access_in extended permit object-group TCPUDP any object mc_server object-group Mumble

access-list inside_access_in extended deny object-group TCPUDP any any object-group Mumble

access-list inside_access_in extended permit ip any any

In doing some more testing though, it appears the answer is it will be nearly impossible to block.

It connects to a web server to determine the IP addresses of available servers. It then establishes a connection with that server. The server may be running on any port. Using the information it learns from the web server, the client opens TCP and UDP connections. But, since there's no guarantee what port(s) will be used, the only solution is to block access to the web server, which blocks access to all servers. I was attempting to block access to all but one, but it appears that's not possible.

Jouni Forss · ‎04-03-2013

Hi,

It would seem to me that the program must use some other ports than the ones you have defined if it still gets through.

Maybe you should run Wireshark on your computer or on the ASA to see what connections the host computer actually forms when Mumble is used. And use that information to update the "deny" rule.

- Jouni