03-01-2011 06:26 PM - edited 03-11-2019 12:59 PM
I have a Pix515 running version 8.0.4 and I have a hard time understanding access-group with "control-plane" option.
As I understand it, "control-plane" is designed for traffics destined TO the firewall interface itself. If so, this is my configuration:
CiscoPix# sh run | i block_all
access-list block_all extended deny ip any any log
access-group block_all in interface outside
CiscoPix# sh run | i fw
access-list fw extended deny icmp any any log
access-list fw extended deny ip any any log
access-group fw in interface outside control-plane
CiscoPix#
CiscoPix# sh run | i inspect
CiscoPix#
CiscoPix# sh run | i http
http server enable
http 0.0.0.0 0.0.0.0 outside
CiscoPix# sh run | i ssh
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 outside
CiscoPix# sh flash:
Directory of flash:/
7 -rw- 7605252 01:23:34 Jan 01 1993 asdm-61551.bin
10 -rw- 7538688 01:19:35 Jan 01 1993 pix804.bin
16128000 bytes total (972800 bytes free)
CiscoPix#
Based on this configuration, ANY traffics destined to the "outside", especially icmp traffics, should be dropped by the firewall; however, I found out that is NOT the case. I can ping the "outside" from everywhere on the Internet. Not only that, I can also ssh and https into the Pix as well:
CiscoPix# sh capture test
6 packets captured
1: 11:29:31.178304 4.2.2.2 > 129.174.2.14: icmp: echo request
2: 11:29:31.178686 129.174.2.14 > 4.2.2.2: icmp: echo reply
3: 11:29:32.178304 4.2.2.2 > 129.174.2.14: icmp: echo request
4: 11:29:32.178640 129.174.2.14 > 4.2.2.2: icmp: echo reply
5: 11:29:33.178503 4.2.2.2 > 129.174.2.14: icmp: echo request
6: 11:29:33.178869 129.174.2.14 > 4.2.2.2: icmp: echo reply
6 packets shown
CiscoPix#
Clearly, this does not look right. Not sure if this is a "bug" or by design?
03-01-2011 06:38 PM
For those examples of management traffic access is control by other commands not by the access-group on the control-plane.
If you test denying VPN traffic that will work.
Check the following link that contains and explanation:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842
Note Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than an access list applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box access list.
I hope this helps.
03-01-2011 06:41 PM
Then how do you explain that I can ping the firewall outside interface even though I have explicit deny icmp for the control plane?
03-01-2011 06:47 PM
icmp is not management so your question is valid. Since you can block ICMP traffic to the device using the icmp command it will also take precedence.
I don't know if you are aware about the icmp command but it will permit or deny that traffic to the box.
Sometimes is hard to get the right information from Cisco
03-01-2011 06:54 PM
Hi Paul,
Yes, I am very aware of the icmp command, actually way back to 2003. Anyone who study CCIE security is aware of that command
I thought "control-plane" option is a new feature to use instead of the legacy "icmp permit/deny" command.
Apparently, I am not the only one who has this issue. Check out this link:
http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=002524
Apparently, not all ASA platforms are created equal. Some commands might work only on the ASA5580 and no where else and this might be one of those commands.
03-01-2011 07:00 PM
thanks for sharing. When studying for my CCIE I had to learn about that too. I used to check that site a lot in the past.
I haven't had the opportunity to work with a 5580 but I am sure it has minor differences on the way they behave.
05-13-2013 06:16 AM
For anyone else that finds this discussion while searching for ways to limit the VPN source IP:
According to the documentation and other sites the built-in commands (icmp, http, ssh, etc) have precedence over the control-plane ACL but you should be able to limit VPN source IP using the control-plane ACL.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide