Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7288
Views
0
Helpful
6
Replies

access-group with "control-plane" in Cisco Pix/ASA

cciesec2011
Level 3
Level 3

‎03-01-2011 06:26 PM - edited ‎03-11-2019 12:59 PM

I have a Pix515 running version 8.0.4 and I have a hard time understanding access-group with "control-plane" option.

As I understand it, "control-plane" is designed for traffics destined TO the firewall interface itself.  If so, this is my configuration:

CiscoPix# sh run | i block_all
access-list block_all extended deny ip any any log
access-group block_all in interface outside
CiscoPix# sh run | i fw
access-list fw extended deny icmp any any log
access-list fw extended deny ip any any log
access-group fw in interface outside control-plane
CiscoPix#
CiscoPix# sh run | i inspect
CiscoPix#

CiscoPix# sh run | i http
http server enable
http 0.0.0.0 0.0.0.0 outside
CiscoPix# sh run | i ssh
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside

CiscoPix# sh flash:

Directory of flash:/

7      -rw-  7605252     01:23:34 Jan 01 1993  asdm-61551.bin
10     -rw-  7538688     01:19:35 Jan 01 1993  pix804.bin

16128000 bytes total (972800 bytes free)
CiscoPix#

Based on this configuration, ANY traffics destined to the "outside", especially icmp traffics, should be dropped by the firewall; however, I found out that is NOT the case.  I can ping the "outside" from everywhere on the Internet.  Not only that, I can also ssh and https into the Pix as well:

CiscoPix# sh capture test
6 packets captured
   1: 11:29:31.178304 4.2.2.2 > 129.174.2.14: icmp: echo request
   2: 11:29:31.178686 129.174.2.14 > 4.2.2.2: icmp: echo reply
   3: 11:29:32.178304 4.2.2.2 > 129.174.2.14: icmp: echo request
   4: 11:29:32.178640 129.174.2.14 > 4.2.2.2: icmp: echo reply
   5: 11:29:33.178503 4.2.2.2 > 129.174.2.14: icmp: echo request
   6: 11:29:33.178869 129.174.2.14 > 4.2.2.2: icmp: echo reply
6 packets shown
CiscoPix#

Clearly, this does not look right.  Not sure if this is a "bug" or by design?

Labels:
0 Helpful
6 Replies 6

PAUL GILBERT ARIAS
Level 5
Level 5

‎03-01-2011 06:38 PM

For those examples of management traffic access is control by other commands not by the access-group on the control-plane.

If you test denying VPN traffic that will work.

Check the following link that contains and explanation:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842

Note Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than an access list applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box access list.

I hope this helps.

0 Helpful

cciesec2011
Level 3
Level 3
In response to PAUL GILBERT ARIAS

‎03-01-2011 06:41 PM

Then how do you explain that I can ping the firewall outside interface even though I have explicit deny icmp for the control plane?

0 Helpful

PAUL GILBERT ARIAS
Level 5
Level 5
In response to cciesec2011

‎03-01-2011 06:47 PM

icmp is not management so your question is valid. Since you can block ICMP traffic to the device using the icmp command it will also take precedence.

I don't know if you are aware about the icmp command but it will permit or deny that traffic to the box.

Sometimes is hard to get the right information from Cisco

0 Helpful

cciesec2011
Level 3
Level 3
In response to PAUL GILBERT ARIAS

‎03-01-2011 06:54 PM

Hi Paul,

Yes, I am very aware of the icmp command, actually way back to 2003.  Anyone who study CCIE security is aware of that command

I thought "control-plane" option is a new feature to use instead of the legacy "icmp permit/deny" command.

Apparently, I am not the only one who has this issue.  Check out this link:

http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=002524

Apparently, not all ASA platforms are created equal.  Some commands might work only on the ASA5580 and no where else and this might be one of those commands.

0 Helpful

PAUL GILBERT ARIAS
Level 5
Level 5
In response to cciesec2011

‎03-01-2011 07:00 PM

thanks for sharing. When studying for my CCIE I had to learn about that too. I used to check that site a lot in the past.

I haven't had the opportunity to work with a 5580 but I am sure it has minor differences on the way they behave.

0 Helpful

DAVID NOONAN
Level 1
Level 1

‎05-13-2013 06:16 AM

For anyone else that finds this discussion while searching for ways to limit the VPN source IP:

According to the documentation and other sites the built-in commands (icmp, http, ssh, etc) have precedence over the control-plane ACL but you should be able to limit VPN source IP using the control-plane ACL.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card