05-07-2013 04:16 AM - edited 03-11-2019 06:39 PM
Hi guys,
I'm newbie in a FW matters, I need to apply some filters between our corporate network and our industrial networks (FTP traffic and some special ports for telnet matters). For that I'm using an ASA 5510 building a etherchannel with 3 of its Fa interfaces, over the main portchannel I set the corporate network access with a higher security level and the I created a few sub interfaces with a different VLAN each one and lower security level.
Then I used some NAT configuration in order to go from the industrial network to some specific FTP server in the corporate network.
When I try to use an ACL just to permit the FTP traffic inbound over the corporate interface all traffic is dropped by the global implicit rule to deny any to any traffic.
Why can I do to enable the ftp traffic?
Regards,
G.Fuentes
Sent from Cisco Technical Support iPhone App
05-07-2013 06:12 AM
Hi,
It would be easier to go through this seeing the configurations.
You say that you have configured a Etherchannel between the ASA and some other device. This means that you are atleast using software level 8.4(1)
This in turn means that you dont need any NAT configurations between your local interfaces UNLESS you specifically want to NAT some IP addresses or networks to something else.
With the ACLs its important to remember that when your software level is equal or above 8.3(1) that you always use the hosts real IP address in the ACL rules even if you have configured NAT for it.
- Jouni
05-07-2013 08:16 PM
Hello Jouni,
I'm sorry my scenario is:
- EtherChannel is connect to a HP procurve switch
- ASA version: 9.0(2)
- ASDM version 7.1(2)
In fact about my FTP server destination I setting a network object and I used it to created the ACL rule, in that case I must to forget it and create the ACL using the real IP address? Regarding security levels, is better to set a higher security level over my corporate network interface and leave a lower security level over the industrial network interfaces or maybe set the same security level for everyone? On the other hand I need to enable the traffic between interfaces with the same security level or it isn't necessary?
Many thanks in advance for your comments.
G.FUENTES.-
Sent from Cisco Technical Support iPad App
05-07-2013 08:25 PM
Hi,
I personally would forget about the "security-level" values and just configure ACL for each interface and allow the connections which need to be allowed.
If you rely simply on the "security-level" value then you can consider it as a "Allow all or Deny all traffic" setup.
You either allow all connections from one interface to other or block all traffic from one interface to another. Meaning that higher "security-level" interfaces (or rather the networks behind them) can connect to any network located on a less secure interface of the ASA. Also all traffic from a lower "security-level" interface to a higher "security-level" interface would be blocked.
Eventually to create a good access policy you will need to configure an ACL and at the point the "security-level" value looses its meaning. As soon as the ACL is attached to the interface, it starts to control what is allowed and what is blocked. The "security-level" wont determine that anymore.
With regards to the actual ACL, you can use "object network" or "object-group" to hold the IP addresses or networks for which you want to deny or allow traffic. I just mean that in the case if you are using some NAT configurations on the ASA then you should always use the real/original IP address of the host in the ACL rules instead of the NAT IP address.
It would be easier to check the reason of the problem if we
- Jouni
05-07-2013 08:45 PM
Hi,
Just for clarify about security level, I can leave i.e. 0 for all interfaces and set the security trough ACL, I'm corrected? Well in that scenario I did the test I mean, all interfaces with the same security level, ACL using the real IP address trough network objects and always the package is dropped by the implicit ACL because the ACL that I did doesn't match.
I created de ACL rule over the my corporate network interface on in access permitting the traffic from one of my industrial network to my FTP server and the result is the same that I described over.
what I'm missing?
Sent from Cisco Technical Support iPad App
05-07-2013 08:53 PM
Hi,
There are a couple of special settings on the ASA related to the "security-level" that always apply.
If you have traffic between interfaces with equal "security-level" you will need
same-security-traffic permit inter-interface
If you have traffic that is entering an ASA interface and leaves through the same interface then you need
same-security-traffic permit intra-interface
Though the latter one is usually used with VPN connections that need to enter the ASA through "outside" and leave to the Internet (or another L2L VPN remote site) through the "outside"
I personally configure LAN interfaces usually with "security-level 100" and WAN interfaces with "security-level 0".
- Jouni
05-07-2013 09:07 PM
Hi,
I got it, in my case all interfaces will be like a LAN, the ASA will be used to protect our corporate network because the industrial one doesn't have any protection in terms of antivirus, OS patch, etc. for that reason I need only permit the FTP and some IP ports from industrial to corporate nothing else. On this scenario I need to apply some ACL over the industrial interface about outbound traffic?
I'm sorry if my questions are too basic.
Regards,
G.FUENTES.-
Sent from Cisco Technical Support iPad App
05-07-2013 09:53 PM
Well,
We have for example had some simple firewall configurations between Automation and Office networks.
There might be an ASA with no NAT configurations at all and we only allow certain traffic in and certain traffic out.
Basically your ACL can look like this with just the FTP
access-list INDUSTRIAL-IN remark Allow FTP to Corporate Network
access-list INDUSTRIAL-IN permit tcp host
access-list INDUSTRIAL-IN remark Deny All other traffic
access-list INDUSTRIAL-IN deny ip
If you wanted to add DNS to some internal or external server then it could be
access-list INDUSTRIAL-IN remark Allow FTP and DNS to Corporate Network
access-list INDUSTRIAL-IN permit tcp host
access-list INDUSTRIAL-IN permit udp host
access-list INDUSTRIAL-IN remark Deny All other traffic
access-list INDUSTRIAL-IN deny ip
In the same way you could open services between hosts or even networks if you needed.
You could also need to add the ACL to the interface with the command
access-group INDUSTRIAL-IN in interface industrial
Ofcourse the names of ACL and interface might be something else
But to be honest as I dont know your current NAT and ACL configurations I cant really help you if you still have problems with the FTP connection through the firewall.
- Jouni
05-09-2013 06:02 PM
Hi Jouni,
I followed your advice but it doesn't works, please see below my configuration:
ASA Version 9.0(2)
!
hostname ASA-CO0011-VASCH-01
enable password 792XWCseaD5YPLGJ encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/1
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/2
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel20
nameif SG_Net
security-level 0
ip address 10.200.5.19 255.255.255.0
!
interface Port-channel20.40
description VLAN for YK DCS
vlan 40
nameif YOK_VLAN
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface Port-channel20.50
description VLAN for BT Line
vlan 50
nameif BOT_VLAN
security-level 100
ip address 192.168.40.1 255.255.255.192
!
interface Port-channel20.60
vlan 60
nameif COG_VLAN
security-level 0
ip address 192.168.50.1 255.255.255.192
!
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone COST -5
object service SMQF_YK_Connect
service tcp destination range 10300 10310
object network obj-192.168.30.30
host 192.168.30.30
object network obj-192.168.30.2
host 192.168.30.2
object network obj-192.168.30.3
host 192.168.30.3
object network SG_Antares_SMQF_Server
host 10.200.5.22
description Antares SMQF Server
object network YK_FTP
host 192.168.30.30
object network obj-192.168.40.2
host 192.168.40.2
object network SG_FIS_Server
host 10.200.5.20
description FIS Server for labeling
object service ANTARES_CG_Connnect
service tcp destination range 20301 20302
object network obj-192.168.50.3
host 192.168.50.3
object-group icmp-type ping-service
description allow ping
icmp-object echo
object-group service grp_SMQF tcp
port-object range 10300 10310
object-group service grp_ANTARES_CG tcp
port-object range 20301 20302
access-list ACL_SMQF extended permit object SMQF_YK_Connect 192.168.30.0 255.255.255.0 object SG_Antares_SMQ
access-list ACL_SMQF extended permit tcp 192.168.30.0 255.255.255.0 object SG_Antares_SMQF_Server eq ftp
access-list ACL_FIS extended permit tcp 192.168.40.0 255.255.255.192 object SG_FIS_Server eq ftp
access-list ACL_COGX extended permit tcp 192.168.50.0 255.255.255.192 object SG_Antares_SMQF_Server object
access-list ACL_COGX-IN remark Allow TCP Ports 20301-20302 to SGNet
access-list ACL_COGX-IN extended permit tcp host 192.168.50.2 host 10.200.5.22 eq 20301
access-list ACL_COGX-IN extended permit tcp host 192.168.50.2 host 10.200.5.22 eq 20302
access-list ACL_COGX-IN extended permit tcp host 192.168.50.3 host 10.200.5.22 eq ftp
access-list ACL_COGX-IN remark Deny All other trafic
access-list ACL_COGX-IN extended deny ip 192.168.50.0 255.255.255.192 any
access-list ACL_ANTARES extended permit ip 192.168.40.0 255.255.255.192 object SG_Antares_SMQF_Server
pager lines 24
logging enable
logging asdm debugging
mtu management 1500
mtu SG_Net 1500
mtu YOK_VLAN 1500
mtu BOT_VLAN 1500
mtu COG_VLAN 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.30.30
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.30.2
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.30.3
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.40.2
nat (BOT_VLAN,SG_Net) static 10.200.5.226 net-to-net
access-group ACL_COGX-IN in interface COG_VLAN
route SG_Net 0.0.0.0 0.0.0.0 10.200.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.201.1.39 source SG_Net prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e64886d2e1d1e3449721b3aa0944bfd0
: end ASA Version 9.0(2)
!
hostname ASA-CO0011-VASCH-01
enable password 792XWCseaD5YPLGJ encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/1
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/2
channel-group 20 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Port-channel20 (Corporate)
nameif SG_Net
security-level 0
ip address 10.200.5.19 255.255.255.0
!
interface Port-channel20.40
description VLAN for YK DCS
vlan 40
nameif YOK_VLAN
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface Port-channel20.50
description VLAN for BT Line
vlan 50
nameif BOT_VLAN
security-level 100
ip address 192.168.40.1 255.255.255.192
!
interface Port-channel20.60 (Industrial)
vlan 60
nameif COG_VLAN
security-level 0
ip address 192.168.50.1 255.255.255.192
!
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone COST -5
object service SMQF_YK_Connect
service tcp destination range 10300 10310
object network obj-192.168.30.30
host 192.168.30.30
object network obj-192.168.30.2
host 192.168.30.2
object network obj-192.168.30.3
host 192.168.30.3
object network SG_Antares_SMQF_Server
host 10.200.5.22
description Antares SMQF Server
object network YK_FTP
host 192.168.30.30
object network obj-192.168.40.2
host 192.168.40.2
object network SG_FIS_Server
host 10.200.5.20
description FIS Server for labeling
object service ANTARES_CG_Connnect
service tcp destination range 20301 20302
object network obj-192.168.50.3
host 192.168.50.3
object-group icmp-type ping-service
description allow ping
icmp-object echo
object-group service grp_SMQF tcp
port-object range 10300 10310
object-group service grp_ANTARES_CG tcp
port-object range 20301 20302
access-list ACL_SMQF extended permit object SMQF_YK_Connect 192.168.30.0 255.255.255.0 object SG_Antares_SMQ
access-list ACL_SMQF extended permit tcp 192.168.30.0 255.255.255.0 object SG_Antares_SMQF_Server eq ftp
access-list ACL_FIS extended permit tcp 192.168.40.0 255.255.255.192 object SG_FIS_Server eq ftp
access-list ACL_COGX extended permit tcp 192.168.50.0 255.255.255.192 object SG_Antares_SMQF_Server object
access-list ACL_COGX-IN remark Allow TCP Ports 20301-20302 and ftp to SGNet
access-list ACL_COGX-IN extended permit tcp host 192.168.50.3 host 10.200.5.22 eq 20301
access-list ACL_COGX-IN extended permit tcp host 192.168.50.3 host 10.200.5.22 eq 20302
access-list ACL_COGX-IN extended permit tcp host 192.168.50.3 host 10.200.5.22 eq ftp
access-list ACL_COGX-IN remark Deny All other trafic
access-list ACL_COGX-IN extended deny ip 192.168.50.0 255.255.255.192 any
access-list ACL_ANTARES extended permit ip 192.168.40.0 255.255.255.192 object SG_Antares_SMQF_Server
pager lines 24
logging enable
logging asdm debugging
mtu management 1500
mtu SG_Net 1500
mtu YOK_VLAN 1500
mtu BOT_VLAN 1500
mtu COG_VLAN 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.30.30
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.30.2
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.30.3
nat (YOK_VLAN,SG_Net) static 10.200.5.225 net-to-net
object network obj-192.168.40.2
nat (BOT_VLAN,SG_Net) static 10.200.5.226 net-to-net
access-group ACL_COGX-IN in interface COG_VLAN
route SG_Net 0.0.0.0 0.0.0.0 10.200.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.201.1.39 source SG_Net prefer
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e64886d2e1d1e3449721b3aa0944bfd0
: end
when I check the log viewer follow the IP source the message is:
Syslog ID: 106001
Description: Inbound TCP Connection denied from 192.168.50.2/1065 to 10.200.5.22/21 flags SYN on interface COG_VLAN
I'll apreciate your comments about it.
Kind Regards,
G.FUENTES.-
05-09-2013 06:10 PM
Hi,
Your log message refers to the source IP address of 192.168.50.2.
Though it seems you have allowed traffic only for the source IP address 192.168.50.3
- Jouni
05-09-2013 06:15 PM
Actually,
It seems your source and destination interface are of the same "security-level 0"
Can you add the following configuration
same-security-traffic permit inter-interface
Or you can change the "security-level" value of the source interface (for example) to something else then "0" and it should probably work.
- Jouni
05-09-2013 06:25 PM
In fact I tried with that configuration and nothing happen. Same result. I don't know if is necessary put some static route, maybe.
Sent from Cisco Technical Support iPad App
05-09-2013 06:29 PM
Hi,
Can you take the output of this command
packet-tracer input GOC_VLAN tcp 192.168.50.3 12345 10.200.5.22 21
This would simulate the packet coming from the specified source interface with the specified protocol with the mentioned source/destination IP addresses and ports. Its a great tool to find out what the firewall WOULD do to a connections and IS doing at the moment.
With regards to your current setup it seems that there is no NAT configured for the source host 192.168.50.3
This would mean that the FTP server should have a route towards the network 192.168.50.0/24 that in the end is found through the interface IP address of the ASA interface named SG_Net
Or alternatively you could use Dynamic PAT or Static NAT to translate it to the destination interfaces connected networks IP address (if that is a network that the FTP server has a route for)
- Jouni
05-09-2013 06:50 PM
I'll check it, for now the access-group is well applied over the industrial interface or bust be applied over corporate interface?
Sent from Cisco Technical Support iPad App
05-09-2013 07:20 PM
Hi,
The ACL is now attached to the interface GOC_VLAN in the direction "in" so it should we controlling traffic incoming from network 192.168.50.0/26 to other networks.
But coming back to the "security-level"
You will have to have a either "same-security-traffic permit inter-interface" command or change the "security-level" so that they are not equal to eachother.
Can you copy/paste the output of the above "packet-tracer" command here? It should tell us if the ASA configurations are ok
Also one configuration that hits my eye is the fact that SG_Net interface is configured directly on the Port-channel20 interface. I would configure it as a own VlanID as Sub Interface of Po20.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide