ASA 5505 9.1 Correct office Global Access rules via ASDM

wchestnutt · ‎01-28-2014

Hello Everyone.

I am pretty new to this networking stuff so please forgive my ignorance. I have been going thorugh material for days now to try and get up to speed on setting up our small office network which is one job I have been given.

Our small office is using a 5505, and is hosting a web server and an ftp server on seperate inside addresses, with one outside address. We also have a second outside address which I hope to use for setting up our NAS server.

Now I have set up the NAT rules for my two servers via ASDM, and understand that the top rules are used first. I have set up PAT for the HTTP service on my web server, so any http traffic is sent there first, then the ftp server is catching the rest of the traffic.

This works and both servers are runnign along with my internal computers having net access. Now my issue is that I have set up Access rules for these services, but they aren't controlling the traffic to any degree, I can turn them off and on and traffic to my servers is still persistent.

I imagine that the issue is that my global access rule is permitting all traffic in and out, and this overrides my service specific rules?

Please see the photos and let me know. I dont want to dive into the global setting without knowing exactly what I need to change as it is a live network, but if some advice could be given on the proper global access rules to allow my internet computers access to outside, and control the flow of traffic to the webservers that would be greatful!

I am workgin in tyhe ASDM at the moment as this is teh best way for me to visualise what is happening so if any recommendations could be translated into those terms rather at CLI that would be appreciated.

Kind regards,

William.

Marius Gunnerud · ‎02-03-2014

The permit IP any any on the global ACL is a very dangerous configuration. The global ACL applies access control inbound on all interfaces...which is why you are seeing no matches on the HTTP and FTP rules you have created.

Did you set up this ASA? or did you inherit it? The Global permit any any command should be removed and only a implicit deny any any should be present. All other permits should be done on a per interface basis.

Before you remove it, analyze your network and make sure that all traffic is defined with correct permissions. If you only need traffic from higher to lower security levels then make sure that your inside interface has a higher security level than your outside interface (as it always should).

Or you could be a little adventurous and remove it and see if people start panicking

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

wchestnutt · ‎02-03-2014

Hello,

Thank you so much for teh reply! Ahh okay well that makes sense. This is an inherited system, we are looking to hire some network guys asap but for now it is me and my very limited knowledge..

So if I put a Global implicit deny any any, all traffic will fall back onto that if it doesn't match any of the other rules.

Then to allow the office guys to have internet access what would the best setting be to stay secure?.... I can put an inside interface to outside interface rule allowing IP traffic out?...

And then set up my other servers with the correct rules?

Marius Gunnerud · ‎02-03-2014

Basically the permit any any you have in globle is allowing all internet traffic into your network...nothing is being denied. All you need to do is remove the permit any any (or at the least disable it)...the implicit deny will take effect automaticly.

Then to allow the office guys to have internet access what would the best setting be to stay secure?.... I can put an inside interface to outside interface rule allowing IP traffic out?...

And then set up my other servers with the correct rules?

By default traffic is permitted from a higher security level interface to a lower security level interface. So again, without having seen your configuration, your inside interface should have a security level of 100 and your outside should be set to 0. Now if you do not have any ACLs configured on an interface then the security level will play its part. If you have configured an ACL then it is the ACL that counts and the security level does nothing. I hope I explained that well enough?

So in short. Remove the permit IP any any on the global ACL. Add specific rules to the outside interface for traffic you want to allow in to your network, and add NAT statements that correspond to these services also. As long as your inside interface has a security level that is higher than that of the outside interface...and there are no ACLs configured on the inside interface, then traffic from inside to outside will be permitted.

If you would like use to take a look at your configuration please post a sanitised config here and we will give you feed back.

go to tools in the menu bar and select CLI and enter the command show run and post the output here....if you need further help that is. Sanitised means remove passwords and public IPs.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

wchestnutt · ‎02-03-2014

Marius,

You are a great help thank you so much, I fully understand i think. I will have a play with it tonight when the guys are not in work so I don't get shouted at and interfere with what they are doing. For now I have swapped over to a backup which is locked down and managed by the ISP, but doesn't allow us to host any servers etc.

Best regards,

Marius Gunnerud · ‎02-03-2014

Let us know if you need any further help

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts