ASA5505 Port 68 issue - cannot block it on the wan/outside interface - V 8.4.7

Zawekaroo · ‎07-14-2014

Hello,

I setup my ASA5505 to get the public IP address from the outside/wan ( my cable provider via DHCP) interface 0/0 on vlan 90 and the inside interface gives dhcp addresses to my local lan. I have denied all the traffic on the outside interface coming in and allowed domain/http/https from the inside to anywhere.

I ran the packet tracer and I noticed that if the traffic comes from any ip on the outside targeting UDP port 68 or 67 (broadcast traffic) is allowed and I see the packets being built even tho my outside ACL is deny any any - not sure how to resolve the issue as I gave up on all the solutions :/

interface Ethernet0/0

*outside facing the internet*
switchport access vlan 90
!
interface Ethernet0/1

*inside*
switchport access vlan 50

interface Vlan50
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Vlan90
description OUTSIDE to Internet
nameif outside
security-level 0
ip address dhcp setroute

dhcpd address 192.168.50.101-192.168.50.202 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp

service-policy global_policy global

packet-tracer input outside udp 150.50.50.50 1234 255.255.255.255 68 detailed

Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca2a13a0, priority=13, domain=punt, deny=false
        hits=3, user_data=0xca2a1430, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca2830b0, priority=1, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow

This should not be allowed as I have a deny any any on the outside interface

Jouni Forss · ‎07-14-2014

Hi,

Can you show the actual "access-list" and "access-group" configurations?

show run access-list

show run access-group

My own ASA 5505 running 8.4(5) blocks the above mentioned "packet-tracer" output. I wonder if its in any way related to the WAN interface being set as a DHCP Client? Though if I am not wrong the port UDP/68 should only be destination port for connections to the DHCP server.

Have you tried to make a separate ACL and attach it to the WAN interface as a "control-plane" ACL that blocks/permits traffic to the actual ASA interface?

You attach it to the interface with the command

access-group <acl name> in interface <interface name> control-plane

You can naturally have a normal interface ACL that controls traffic "through the box" and a "control-plane" ACL that controls traffic "to the box".

- Jouni

Zawekaroo · ‎07-15-2014

Hello,

I have tried to put the control plane acl but without any luck, this is driving me crazy as I feel someone can run a dhcp attack and my firewall will build those msgs, I don't even see the hits when I run the packet tracer on the new ACL, here is my config:

If I remove the ip address dhcp setroute then everything is normal, not sure if its even possible to block this type of traffic

object network INSIDE-NETWORKS
subnet 192.168.50.0 255.255.255.0
object-group service MY-PORTS
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https

access-list inside_acl extended permit object-group MY-PORTS object INSIDE-NETWORKS any
access-list inside_acl extended permit ip object INSIDE-NETWORKS object INSIDE-NETWORKS
access-list outside_acl extended deny ip any any

**new control plane acl**

access-list cpl-acl; 1 elements; name hash: 0xe068185
access-list cpl-acl line 1 extended deny udp any any log informational interval 300 (hitcnt=0) 0xcfe2e0a1

access-group inside_acl in interface inside
access-group outside_acl in interface outside
access-group cpl-acl in interface outside control-plane

nkarthikeyan · ‎07-15-2014

Hi,

I believe this is because of the ip address dhcp enabled on the outside interface. I do not get such packet-tracer output in a statically assigned environment. But if you apply the ACL to the control-plane it is applicable to the box which might affect the dhcp assignment to your Outside interface.

UDP port number 67 is the destination port of a server & UDP port number 68 is used by the client.

Regards

Karthik

Zawekaroo · ‎07-15-2014

Yes I tested on another ASA that has a static IP and the traffic is dropped - I don't like the fact that those broadcast messages are being built even tho I am blocking everything, hence someone could use my ip as a target for dhcp attacks if they spoof their source