Solved: 5505 firewall, block everything execpt a few ports

haakonrovik · ‎04-16-2013

Hi folks

We have a client that is running a PC on a internet over satellite.

To avoid any unessecery traffic over the satellite link (data traffic is quite expensive), we've suggested to use a 5505, as we had one handy already.

So basically what we wanted was to block everything outgoing and everything ingoing, except for example port 22 (ssh).

But I'm struggling a bit, since this is my first cisco router to be configured.

My interfaces are as follows.

Outside - DHCP

Inside (port 1) - 192.168.1.1

I'm only running ipv4.

in ASDM I made a static NAT rule for port 22, being forwarded to 192.168.1.5 (the computer)

in Access rules I made

under outside (incomming rules)

source=any destination=outside service=ssh action=permit

So far so good.

But when I try to add further rules to block everything else, it takes the SSH on port 22 with it.

How should I do this the easiest way?

the hardware setup is pretty straight forward.

sat-terminal(with IP 192.168.0.1 running DHCP) -> 5505 (outside IP=DHCP - inside IP=192.168.1.1) -> computer (IP=192.168.1.5)

Jouni Forss · ‎04-16-2013

Hi,

For example if we presume that you only want to allow TCP/22 from the "outside" and block everything else from "outside" then the ACL configuration could something like this

access-list OUTSIDE-IN remark Allow TCP/22 from outside

access-list OUTSIDE-IN permit tcp any interface outside eq 22

The command to attach this ACL to the "outside" interface you use

access-group OUTSIDE-IN in interface outside

Once the ACL is attached with this command to the interface, it doesnt need to be issued again. You only add more of the "access-list" configurations if needed.

The "remark" line on the ACL is just a line that can be used to comment on the actual rules. They dont have any effect on the operation of the firewall.

If you want to check any existing configurations on the CLI you could issue the following commands

"show run access-list"

This command will show ALL the configured ACLs on the ASA

"show run access-group"

This command will show which ACLs are attached to which interfaces. Its possible that you have several ACLs on the ASA but not all of them are attached to some interface.

- Jouni

View solution in original post

Jouni Forss · ‎04-17-2013

Hi,

Since the sat-terminal holds the public IP address on its WAN interface this means that it will probably do Dynamic PAT for all hosts/devices behind it.

This means that any connections that need to get through from behind the sat-terminal to the WAN will be fine.

On the other hand if you are planning to connect to any device behind the sat-terminal from the WAN then you simply need a Port Forward NAT / Static PAT configuration on the sat-terminal or its not possible to get through.

If you want to configure an ACL / access-list that control the traffic from behind the ASA towards the WAN then you can use the following configuration to ONLY allow the ports you mentioned (btw you didnt mention if they were TCP or UDP or both)

access-list INSIDE-IN remark ONLT allow outbound connections on ports 54 and 4710

access-list INSIDE-IN permit tcp any any eq 54

access-list INSIDE-IN permit udp any any eq 54

access-list INSIDE-IN permit tcp any any eq 4710

access-list INSIDE-IN permit udp any any eq 4710

access-group INSIDE-IN in interface inside

The above configuration presumes the following

You dont have any ACL attached to the LAN interface yet
The LAN interface is named "inside" on the ASA
You want to allow both TCP and UDP of the said ports 54 and 4710

Notice also that when the host from behind "inside" initiates the connection on these destination ports then the reply/return traffic of the remote host is automatically allowed through the firewall as were talking about a statefull device that keeps track of the connections and their states formed through the said device.

Hope this helps Remember to rate if it does

Naturally ask more and I'll try to help if I can.

- Jouni

View solution in original post

Jouni Forss · ‎04-17-2013

Hi,

Do you use a DNS name to connect to some host with SSH?

Since I cant see any other reason the SSH wouldnt work except for DNS queries getting blocked by the above ACL.

Since you say it works without the ACL.

If you want to allow all DNS traffic then you can add this single ACL line

access-list INSIDE-IN permit udp any any eq 53

Dont need any other commands

- Jouni

View solution in original post

Jouni Forss · ‎04-16-2013

Hi,

If you create and ACL that only permits TCP/22/SSH then it will block ALL the rest of the traffic.

The ACL always contains a "deny ip any any" statement at the end which doesnt show up in the configuration.

This is called an Implicit Deny Rule

So you basicly just open what you need and rest will be blocked.

Though even if you added the "deny ip any any" rule yourself it SHOULD NOT remove any existing rules. I am not quite sure how you are configuring the ASA for that to happen. Maybe you are creating a new ACL every time you make a new rule and because of this the old ACL is removed from the interface and replaced with the new ACL. Or you are accidentaly editing or replacing the existing ACL rule.

Do you only use the ASDM (graphical user interface) or have you use the CLI? I personally use almost only CLI so thats the easiest way for me to give advice.

- Jouni

haakonrovik · ‎04-16-2013

I haven't used the CLI much, as I don't know all the commands for setting up the rules.

I'm sitting here in ASDM trying to figure out through there.

I think I know where you mean in the ASDM, it's under 'access rules' right?

So, the moment I add one rule, then all else will be blocked that is not defined in the rule (and other rules)?

That's where I've mainly been trying to configure the interfaces, and under 'NAT rules'

How would it look like when configured under CLI?

- Haakon

Jouni Forss · ‎04-16-2013

Hi,

For example if we presume that you only want to allow TCP/22 from the "outside" and block everything else from "outside" then the ACL configuration could something like this

access-list OUTSIDE-IN remark Allow TCP/22 from outside

access-list OUTSIDE-IN permit tcp any interface outside eq 22

The command to attach this ACL to the "outside" interface you use

access-group OUTSIDE-IN in interface outside

Once the ACL is attached with this command to the interface, it doesnt need to be issued again. You only add more of the "access-list" configurations if needed.

The "remark" line on the ACL is just a line that can be used to comment on the actual rules. They dont have any effect on the operation of the firewall.

If you want to check any existing configurations on the CLI you could issue the following commands

"show run access-list"

This command will show ALL the configured ACLs on the ASA

"show run access-group"

This command will show which ACLs are attached to which interfaces. Its possible that you have several ACLs on the ASA but not all of them are attached to some interface.

- Jouni

Jouni Forss · ‎04-16-2013

Now that I think of this situation.

I am not sure how you are able to connect to the host behind the ASA. This is considering that your SAT-Terminal holds the public IP address and its giving the ASA "outside" interface its IP address with DHCP.

I just wonder how you are going to forward the connection from the SAT-Terminal to the ASA and to the Computer when you have both the SAT-Terminal and ASA using DHCP.

I think the ASA should probably have a Static IP address. The SAT-Terminal would then need a Port Forward NAT configuration from its public IP address and port TCP/22 to the ASA "outside" interface IP address and TCP/22. And again the ASA would need Port Forward NAT from ASA "outside" IP address to the computer.

- Jouni

haakonrovik · ‎04-17-2013

Hi

Sorry for not replying yesterday, it became late here in Norway.

The sat-terminal holds the WAN IP and DNS info.

The sat terminal also gives out IP's on DHCP on the LAN (gw is 192.168.0.1)

Due to this, we don't want to mess too much around with the sat-terminal, and we only want to modify the LAN settings on the PC being conencted to the network at most. system should be as much pålug'n'play as possible, as the customer will install the hardware themselves.

We only don't want to block incomming from internet to the computer, but also the other way around.

This is to prevent high usage and high bills for the customer.

All this is basically to block windows updates, java updates, web surfing and all other not 'needed' traffic.

The only thing the computer is allowed to do traffic on (both ways) are port 54 and 4710.

The commands you gave me, worked fine I think for 'allowing' port 22 communication from outside to inside, but I kind of failed to make a similar rule for inside to outside, hence blocking everything else.

(just trying to reverse engineering the configuration with port 22, since I have a linux machine I can test the communication with). Final ports would be 54 and 4710 though.

-Håkon

Jouni Forss · ‎04-17-2013

Hi,

Since the sat-terminal holds the public IP address on its WAN interface this means that it will probably do Dynamic PAT for all hosts/devices behind it.

This means that any connections that need to get through from behind the sat-terminal to the WAN will be fine.

On the other hand if you are planning to connect to any device behind the sat-terminal from the WAN then you simply need a Port Forward NAT / Static PAT configuration on the sat-terminal or its not possible to get through.

If you want to configure an ACL / access-list that control the traffic from behind the ASA towards the WAN then you can use the following configuration to ONLY allow the ports you mentioned (btw you didnt mention if they were TCP or UDP or both)

access-list INSIDE-IN remark ONLT allow outbound connections on ports 54 and 4710

access-list INSIDE-IN permit tcp any any eq 54

access-list INSIDE-IN permit udp any any eq 54

access-list INSIDE-IN permit tcp any any eq 4710

access-list INSIDE-IN permit udp any any eq 4710

access-group INSIDE-IN in interface inside

The above configuration presumes the following

You dont have any ACL attached to the LAN interface yet
The LAN interface is named "inside" on the ASA
You want to allow both TCP and UDP of the said ports 54 and 4710

Notice also that when the host from behind "inside" initiates the connection on these destination ports then the reply/return traffic of the remote host is automatically allowed through the firewall as were talking about a statefull device that keeps track of the connections and their states formed through the said device.

Hope this helps Remember to rate if it does

Naturally ask more and I'll try to help if I can.

- Jouni

haakonrovik · ‎04-17-2013

Hi

We tried doing this in the temrinal itself, but does not seem to work manufacturer also struggles to give a clear answer, hence we're trying with a 5505

how could this be realized in the 5505 though, if possible?

-Håkon

haakonrovik · ‎04-17-2013

nevermind last post, didnt see the whole response from you, I'll give it a shot

-Håkon

haakonrovik · ‎04-17-2013

I rewrote it a bit so I could test with ssh on port 22, just to confirm that websurfing on port 80 gets blocked, but still having ssh connection through.

access-list INSIDE-IN permit tcp any any eq 22

access-list INSIDE-IN permit udp any any eq 22

access-group INSIDE-IN in interface inside

The above configuration presumes the following

You dont have any ACL attached to the LAN interface yet confirmed, I have a clean config to start with
The LAN interface is named "inside" on the ASA inside is the name of ethernet0/1 to 0/7, seen in ASDM
You want to allow both TCP and UDP of the said ports 54 and 4710 just set both tcp and udp for 22

ssh on port 22 does not work

-Håkon

Jouni Forss · ‎04-17-2013

Hi,

There are a lot of things related to the configurations and network setup that we dont know which could cause the connection attempts from behind the ASA to fail.

Is routing fine with regards to ASA and sat-terminal
Is NAT fine with regards to ASA and sat-terminal
Does the sat-terminal filter traffic from the LAN

- Jouni

haakonrovik · ‎04-17-2013

Hi

at the moment, I'm not being connected to the sat-terminal at all, sorry if you misunderstood me and had the impression I was.

I'm only testing in the office, via our office network.

So when there's no rules set in the 5505, then all data goes through just fine, but when trying to only get port 22 for ssh running (again for testing purpose) then everything gets blocked.

-Håkon

Jouni Forss · ‎04-17-2013

Hi,

Please provide the current configuration of the ASA in CLI format.

- Jouni

haakonrovik · ‎04-17-2013

Hi

See below

ciscoasa(config)# access-list INSIDE-IN permit tcp any any eq 22

ciscoasa(config)# access-list INSIDE-IN permit udp any any eq 22

ciscoasa(config)# access-group INSIDE-IN in interface inside

ciscoasa(config)# show run access-list

access-list INSIDE-IN extended permit tcp any any eq ssh

access-list INSIDE-IN extended permit udp any any eq 22

ciscoasa(config)# show run access-group

access-group INSIDE-IN in interface inside

-Håkon

Jouni Forss · ‎04-17-2013

Hi,

Do you use a DNS name to connect to some host with SSH?

Since I cant see any other reason the SSH wouldnt work except for DNS queries getting blocked by the above ACL.

Since you say it works without the ACL.

If you want to allow all DNS traffic then you can add this single ACL line

access-list INSIDE-IN permit udp any any eq 53

Dont need any other commands

- Jouni