Solved: ACL for traffic Passing between Transparent Firewall and Routed FW

mahesh18 · ‎05-31-2013

Hi Everyone.

If we had this topology

Server is connected to Switch 1 and switch 1 connects switch 2 layer connection and switch 2 has connection to transparent ASA.

Now this transparent ASA has connection to switch 3 and Switch 3 has connection to another ASA2 then the internet.

For above traffic flow do we need ACL at both transparent ASA and ASA2?

Thanks

Mahesh

Julio Carvajal · ‎05-31-2013

Hello Mahesh,

Same concept will apply on transparent mode for l3 traffic ( if traffic from lower to higher needs to be allowed then create the ACL) (From higher to lower no need)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-31-2013

After this traffic passes through another ASA thats in routed mode.

Do i need to apply ACL there also?

If the traffic goes on that one from lower to higher: Yes , as well.

Note: The only L3 traffic while being on L2 mode that I am aware of that needs an ACL from higher to lower is for multicast traffic

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-10-2013

Yes, it can access any port unless you deny it via an ACL,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-10-2013

Hello Mahesh,

No, unless there was an ACL already,

Was there an ACL already ( on the highest security level interface)?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎06-11-2013

Hello Mahesh,

Exactly,as I said on one of my previous posts:

No, unless there was an ACL already,

Was there an ACL already ( on the highest security level interface)?

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-31-2013

Hello Mahesh,

Same concept will apply on transparent mode for l3 traffic ( if traffic from lower to higher needs to be allowed then create the ACL) (From higher to lower no need)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎05-31-2013

Hi Julio,

As transparent is layer 2 firewall.Traffic there is coming from lower to higher security.

i will apply ACL there.

After this traffic passes through another ASA thats in routed mode.

Do i need to apply ACL there also?

Thanks

Mahesh

Julio Carvajal · ‎05-31-2013

After this traffic passes through another ASA thats in routed mode.

Do i need to apply ACL there also?

If the traffic goes on that one from lower to higher: Yes , as well.

Note: The only L3 traffic while being on L2 mode that I am aware of that needs an ACL from higher to lower is for multicast traffic

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎05-31-2013

Hi Julio,

So i need two ACL one on transparent and other on second ASA right?

thanks

mahesh

Julio Carvajal · ‎05-31-2013

Hello Mahesh,

You got it

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎06-10-2013

Hi Julio,

I just did some change on Network where Traffic was passing from transparent Fw and Routed FW.

I put ACL on transparent FW to allow traffic on port 80.

But Routed Fw was denying traffic on port 80.

But from Routed Mode traffic was entering on high security interface and leaving on Lower security interface.

So ACL at Routed mode was denying the traffic going to destination on port 80 even though flow was from high to low.

when we say that traffic can flow from high to low security interface does it also mean that we can access any ports also?

Thanks

Mahesh

Julio Carvajal · ‎06-10-2013

Yes, it can access any port unless you deny it via an ACL,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎06-10-2013

Hi Julio,

To make this work i had to config ACL on Routed ASA to allow traffic on port 80.

Even though flow was from high to low security.

Is this default behaviour?So in short i had to config 2 ACL each on transparent and Routed ASA to make this work.

Thanks

Mahesh

Julio Carvajal · ‎06-10-2013

Hello Mahesh,

No, unless there was an ACL already,

Was there an ACL already ( on the highest security level interface)?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎06-10-2013

Hi Julio,

On interface from high to low security there was no ACL.

I had to put ACL to allow traffic from higher to lower on port 80.

Thanks

Mahesh

Julio Carvajal · ‎06-10-2013

Hello Mahesh,

That's not required,

You are missing something,

Can you share the configuration without the ACL (make sure it does not work before posting it here)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎06-11-2013

Hi Julio,

I dig deeper and found that there was ACL on Routed ASA which was denying the traffic.

Seems earlier as it was denying the traffic thats why i need to put the second ACL on routed ASA also.

Now it makes sense why i need 2 ACL each on transparent and routed ASA to make this work.

Hope you agree with this.

Regards

MAhesh

Julio Carvajal · ‎06-11-2013

Hello Mahesh,

Exactly,as I said on one of my previous posts:

No, unless there was an ACL already,

Was there an ACL already ( on the highest security level interface)?

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎06-11-2013

Hi Julio,

Yes there was an ACL on higher to lower denying IP traffic.

Seems last time i did not understand what you said.

But asking you more questions helped me to understand better now.

Best regards

Mahesh