03-05-2016 07:55 AM - edited 03-12-2019 12:26 AM
Hello Everyone.
I have a question regarding ASA 5505 firewall.
Outbound interface has sec level 0:
interface Vlan10
nameif outside
security-level 0
Created acl to filter site-to-site traffic and triggered tunnel filtering:
no sysopt connection permit-vpn
object network ipsec_subnet
subnet 192.168.11.0 255.255.255.248
access-list l2l-filter extended permit icmp any any
access-list l2l-filter extended permit tcp any object ipsec_subnet eq www
access-list l2l-filter extended permit tcp any object ipsec_subnet eq https
access-list l2l-filter extended permit tcp any object ipsec_subnet eq ftp
access-group l2l-filter in interface outside
Since I was working only with routers, as far as I understand, in theory ipsec peers should not be able to establish ipsec tunnels with ASA since I did not allow inbound UDP 500,4500 and ESP in l2l-filter ACL, but in reality tunnels are working.
Can you please explain why inbound ACL on outside interface allows incoming ipsec connections.
Thank you
Regards,
Alex
Solved! Go to Solution.
03-05-2016 07:00 PM
Hi Alex,
The only way to block the UDP 500 traffic is to use a control-plane ACL.
We even see hits on the
access-list Inbound_Filter line 2 extended deny object-group IPSEC any any (hitcnt=7)
Did you try clearing the connection ?
Use 'clear conn all address <addr>' to clear up the connection.
Regards,
Aditya
Please rate helpful posts.
03-05-2016 09:23 AM
Hi Alex,
Access-Lists applied to interfaces control traffic flowing through the ASA. To control traffic to the ASA you use Access-Lists with the control-plane option.
You may use control-plane access-list to filter the VPN connections to the ASA by blocking UDP 500,4500 or ESP.
For example:
ciscoasa(config)# access-list FILTER-VPN deny udp host host eq 500
ciscoasa(config)# access-list FILTER-VPN permit ip any any
ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane
The access list applied on the ASA by default using the access-group command only filters traffic passing THROUGH the ASA; it does not filter traffic TO the ASA. In short, we can say that the default access list applies to the data-plane not the control plane. There is an option that allows us to specify that an applied access list should be used for traffic destined to the ASA itself using the “control-plane” keyword in the access-group command.
Regards,
Aditya
Please rate helpful posts.
03-05-2016 11:54 AM
Hi Aditya,
Thank you for the explanation! I have modified my configuration.
Added ACL
access-list Inbound_Filter extended permit icmp any any echo
access-list Inbound_Filter extended permit icmp any any echo-reply
access-list Inbound_Filter extended deny ip any any
Applied ACL with "control-plane" option
access-group Inbound_Filter in interface outside control-plane
But ipsec peers still can connect.
Here is my routing table.
5505(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.3.1.1 to network 0.0.0.0
C 192.168.11.0 255.255.255.248 is directly connected, ipsec
C 10.3.1.0 255.255.255.0 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, mgmt
S* 0.0.0.0 0.0.0.0 [1/0] via 10.3.1.1, outside
Pinging my default gateway
5505(config)# ping 10.3.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
But I do not see any matches/hits on applied ACL:
5505(config)# sho access-list Inbound_Filter
access-list Inbound_Filter; 3 elements; name hash: 0x61bc98a6
access-list Inbound_Filter line 1 extended permit icmp any any echo (hitcnt=0) 0x007dc0fa
access-list Inbound_Filter line 2 extended permit icmp any any echo-reply (hitcnt=0) 0x6762f5f4
access-list Inbound_Filter line 3 extended deny ip any any (hitcnt=0) 0xf59102e3
Software version:
5505# sho version
Cisco Adaptive Security Appliance Software Version 9.1(4)
Can you please advice what am I doing wrong ?
Thank you
Best regards,
Alex
03-05-2016 02:01 PM
Answering my own question above.
Don`t try to compare ASA rules with routers ones. By some reason even if you set deny ip any any it will still allow incoming connections, ASA does not care. Icmp, http, ssh is filtered the other way around.
I have modified my ACL, specified udp ports:
access-list Inbound_Filter line 2 extended deny object-group IPSEC any any (hitcnt=7) 0x5697f160
access-list Inbound_Filter line 2 extended deny esp any any (hitcnt=7) 0xbd4f4649
access-list Inbound_Filter line 2 extended deny ah any any (hitcnt=0) 0x0104ee40
access-list Inbound_Filter line 2 extended deny udp any any eq isakmp (hitcnt=0) 0x11afb0c0
access-list Inbound_Filter line 2 extended deny udp any any eq 4500 (hitcnt=0) 0xe07ed8e3
As the result, by unknown reason, tunnels are active, but no traffic in tunnel since ESP is blocked.
Can you please advice how to block incoming UDP traffic ?
Thank you
Regards,
Alex
03-05-2016 07:00 PM
Hi Alex,
The only way to block the UDP 500 traffic is to use a control-plane ACL.
We even see hits on the
access-list Inbound_Filter line 2 extended deny object-group IPSEC any any (hitcnt=7)
Did you try clearing the connection ?
Use 'clear conn all address <addr>' to clear up the connection.
Regards,
Aditya
Please rate helpful posts.
03-09-2016 10:55 AM
Hi Aditya,
Indeed, after clearing connections everything worked like a charm.
Thank you for advice.
Best regards,
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide