Solved: Allow PortScan to Guest Subnets - ASA

stephen.stack · ‎01-06-2011

Hi All,

Happy new year

Can someone help me with a quick one. I have a requirement to run a portscanner/discovery node (similar to nessus)

to scan a guest subnet across our ASA.

The guest subnet is allowed outbound internet access only and is restricted to this by a simple ACL inbound on the guest subinterface. (and relevant NAT of course)

Deny IP (CorporateSubnets)

Allow IP any any

Easy!!!

I want to allow this scanner to ping and tcp/udp scan all hosts in the guest subnet without allowing the guest subnet to send any traffic back to

the scanner. Guest subnet is on a lower sec interface. I am thinking a simple ACLas follows outbound on the guest subinterface

Allow IP (Scanner) Any

Deny IP (CorporateSubnets) ANY

My rational is that the scanner can access all hosts on the guest subnet through this ACL. The inbound ACL prevents access to the corp. subnets and

internet access is not an issue because of the 'Allow IP any any' in the inbound ACL.

I am looking at the MPF for a solution also, but would appreciate anyones help, thoughts, and even realworld experience of the problem.

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Jennifer Halim · ‎01-06-2011

Yes, if the current configuration already ensures that guest subnet can't access port scanner, then it won't be able to initiate connection towards the port scanner.

So in summary, you have both inbound and outbound ACL applied to all interfaces?

Assuming you have the following:

Port scanner interface: inbound and outbound ACL

Guest interface: inbound and outbound ACL

To allow port scanner to scan guest interface, you must have the following:

Inbound ACL on port scanner interface: access-list permit ip host

Outbound ACL on guest interface: needs to have exactly the same configuration as above:

access-list permit ip host

Assuming that outbound ACL on port scanner interface and inbound ACL on guest interface is configured to not allow connection from guest network towards port scanner network.

Further to that, if you configure "IP" that would include ICMP, TCP and UDP protocols.

View solution in original post

Jennifer Halim · ‎01-06-2011

Happy New Year to you too...

I understand that you would like the port scanner to scan the guest subnets, however, I don't understand your statement on "without allowing the guest subnet to send any traffic back tothe scanner."

Would you like to perform a successful port scan or you would actually like to block port scan towards the guest subnets?

The reason why I ask is because ASA is performing a stateful connection, ie: ACL is only required on the direction of where the traffic is initiated from, and the return traffic will be allowed through. So if your port scan is scanning the guest subnets, the return traffic from guest subnets towards the port scan will be allowed through. However, if you don't configure ACL to allow guest subnet to initiate connection to port scan, the guest subnet will not have accessed to initiate connection towards the port scan.

Hope that makes sense.

stephen.stack · ‎01-06-2011

Thanks for the reply Jennifer.

I guess, by '"without allowing the guest subnet to send any traffic back to the scanner."' i mean that the guest hosts should not be able to initiate 'any' type of connection back to the corporate network. The current config ensures this.

I need to preform a sucessful port scan into the guest subnet.

I think, i pretty much understand the statefulness aspect of the firewall, but i had some doubts when reading up on the application inspection element. The port scanner would have to scan all ports, and conduct ICMP sweeps. With an ACL allowing the scanner to scan and sweep in one direction i.e. from it towards the guest subnet

Allow ip [scanner] any --> outbound on the guest subinterface

will default application inspection allow this, or is there a need to reconfigure application inspection to allow TCP/UDP application inspection to permit a sucessful port scan??? I hope this makes sense?

More concisely, will default application inspection allow a port scan to complete , completely?

As an add-on, if i need to edit inspection to allow the port scan, can i lock it down to a single host?

i.e. TCP/UDP inspection from [scanner] only

Maybe i'm going to far into this, in relation to application inspection, but i'm just not sure.

Thanks again

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Jennifer Halim · ‎01-06-2011

Yes, if the current configuration already ensures that guest subnet can't access port scanner, then it won't be able to initiate connection towards the port scanner.

So in summary, you have both inbound and outbound ACL applied to all interfaces?

Assuming you have the following:

Port scanner interface: inbound and outbound ACL

Guest interface: inbound and outbound ACL

To allow port scanner to scan guest interface, you must have the following:

Inbound ACL on port scanner interface: access-list permit ip host

Outbound ACL on guest interface: needs to have exactly the same configuration as above:

access-list permit ip host

Assuming that outbound ACL on port scanner interface and inbound ACL on guest interface is configured to not allow connection from guest network towards port scanner network.

Further to that, if you configure "IP" that would include ICMP, TCP and UDP protocols.

stephen.stack · ‎01-07-2011

Thanks Jennifer.

Needed clarity on this and your info helped.

Regards

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful