07-14-2014 06:08 PM - edited 03-11-2019 09:28 PM
Hello,
I setup my ASA5505 to get the public IP address from the outside/wan ( my cable provider via DHCP) interface 0/0 on vlan 90 and the inside interface gives dhcp addresses to my local lan. I have denied all the traffic on the outside interface coming in and allowed domain/http/https from the inside to anywhere.
I ran the packet tracer and I noticed that if the traffic comes from any ip on the outside targeting UDP port 68 or 67 (broadcast traffic) is allowed and I see the packets being built even tho my outside ACL is deny any any - not sure how to resolve the issue as I gave up on all the solutions :/
interface Ethernet0/0
*outside facing the internet*
switchport access vlan 90
!
interface Ethernet0/1
*inside*
switchport access vlan 50
interface Vlan50
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Vlan90
description OUTSIDE to Internet
nameif outside
security-level 0
ip address dhcp setroute
dhcpd address 192.168.50.101-192.168.50.202 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
packet-tracer input outside udp 150.50.50.50 1234 255.255.255.255 68 detailed
Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca2a13a0, priority=13, domain=punt, deny=false
hits=3, user_data=0xca2a1430, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca2830b0, priority=1, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow
This should not be allowed as I have a deny any any on the outside interface
07-14-2014 11:25 PM
Hi,
Can you show the actual "access-list" and "access-group" configurations?
show run access-list
show run access-group
My own ASA 5505 running 8.4(5) blocks the above mentioned "packet-tracer" output. I wonder if its in any way related to the WAN interface being set as a DHCP Client? Though if I am not wrong the port UDP/68 should only be destination port for connections to the DHCP server.
Have you tried to make a separate ACL and attach it to the WAN interface as a "control-plane" ACL that blocks/permits traffic to the actual ASA interface?
You attach it to the interface with the command
access-group <acl name> in interface <interface name> control-plane
You can naturally have a normal interface ACL that controls traffic "through the box" and a "control-plane" ACL that controls traffic "to the box".
- Jouni
07-15-2014 09:27 AM
Hello,
I have tried to put the control plane acl but without any luck, this is driving me crazy as I feel someone can run a dhcp attack and my firewall will build those msgs, I don't even see the hits when I run the packet tracer on the new ACL, here is my config:
If I remove the ip address dhcp setroute then everything is normal, not sure if its even possible to block this type of traffic
object network INSIDE-NETWORKS
subnet 192.168.50.0 255.255.255.0
object-group service MY-PORTS
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
access-list inside_acl extended permit object-group MY-PORTS object INSIDE-NETWORKS any
access-list inside_acl extended permit ip object INSIDE-NETWORKS object INSIDE-NETWORKS
access-list outside_acl extended deny ip any any
**new control plane acl**
access-list cpl-acl; 1 elements; name hash: 0xe068185
access-list cpl-acl line 1 extended deny udp any any log informational interval 300 (hitcnt=0) 0xcfe2e0a1
access-group inside_acl in interface inside
access-group outside_acl in interface outside
access-group cpl-acl in interface outside control-plane
07-15-2014 12:53 AM
Hi,
I believe this is because of the ip address dhcp enabled on the outside interface. I do not get such packet-tracer output in a statically assigned environment. But if you apply the ACL to the control-plane it is applicable to the box which might affect the dhcp assignment to your Outside interface.
UDP port number 67 is the destination port of a server & UDP port number 68 is used by the client.
Regards
Karthik
07-15-2014 09:30 AM
Yes I tested on another ASA that has a static IP and the traffic is dropped - I don't like the fact that those broadcast messages are being built even tho I am blocking everything, hence someone could use my ip as a target for dhcp attacks if they spoof their source
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: