11-30-2014 06:35 AM - edited 03-11-2019 10:09 PM
Hi,
I need to connect/protect interfaces with access-list and there i have some problems that i cannot solve, getting syn attac:
Interfaces have same or different security-levels, but i don't use same-security-traffic permit inter-interface, because i don't wan't communication without ACL.
Below is some of the configuration, now it uses any any for inside and guest interfaces inbound, but with that i cannot access from guest to inside (if i enable same-security.. then i can connect). I need to get configuration to connect between interfaces with ACL?
For example, i need configuration that does:
-enable guest users to access QNAP for port 80
-disallow inside to guest and guest to inside
-allow internet access for all
interface Vlan1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan2
nameif inside
security-level 10
ip address 172.16.1.1 255.255.255.0
!
interface Vlan10
nameif guest
security-level 10
ip address 10.1.2.1 255.255.255.0
!
object network QNAP
host 172.16.1.5
access-list inside_access_in extended permit ip any any
access-list guest_access_in extended permit ip any any
object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group guest_access_in in interface guest
Wbr,
OLLI
Solved! Go to Solution.
11-30-2014 09:35 AM
If you don't want to use "same-security ..." then you have to configure your inside interface with a higher security level. The "typical" security-level for inside is "100". But you still need an ACL like the following on the inside interface to restrict you inside users from accessing the guest-network:
access-list inside_access_in deny ip any object obj_guest access-list inside_access_in permit ip any any
Your guest-interface just needs an ACL
access-list guest_access_in permit tcp object obj_guest object QNAP eq 80 access-list guest_access_in deny ip any YOUR-INSIDE-NETWORK access-list guest_access_in permit ip object obj_guest any
And what kind of syn-attacks do you have that you are mentioning?
11-30-2014 12:42 PM
The behavior with security-levels is the same in all ASAs.
You can give many interfaces the same security-level. But if they need to communicate with each other, you have to configure "same-security-traffic permit inter-interface". And you should put ACLs on all interfaces that only allow the needed traffic. But that's best practice anyway.
11-30-2014 09:35 AM
If you don't want to use "same-security ..." then you have to configure your inside interface with a higher security level. The "typical" security-level for inside is "100". But you still need an ACL like the following on the inside interface to restrict you inside users from accessing the guest-network:
access-list inside_access_in deny ip any object obj_guest access-list inside_access_in permit ip any any
Your guest-interface just needs an ACL
access-list guest_access_in permit tcp object obj_guest object QNAP eq 80 access-list guest_access_in deny ip any YOUR-INSIDE-NETWORK access-list guest_access_in permit ip object obj_guest any
And what kind of syn-attacks do you have that you are mentioning?
11-30-2014 11:35 AM
Hi
Thanks, it really was years when i last used asa's ACL's because i remembered rules wery much other way, that why it wasn't working. Now it works.
But it won't work, if my inside interface is same security-level, when i rise it to default 100 (which i usually use) i get traffic filtered to allow spesific server/port and deny rest and still go to internet, as you wrote! Is this only default behaviour of ASA5505 and this is not same with bigger ASA5510/5512?
There i get this syn (really ftp traffic, but allowing IP in rule)when accessing from inside to guest, from guest to inside rdp traffic flows correctly??:
2 | Nov 30 2014 | 21:25:53 | 106001 | 172.16.1.108 | 57293 | 10.1.2.102 | 2123 | Inbound TCP connection denied from 172.22.82.108/57293 to 10.1.2.102/2123 flags SYN on interface inside |
Second scenario, because my firewall what i'm planning to use another place is ASA5512-x and there is multiple vlans, different customers. How you suggest i should use security-levels of interfaces, can they be same like 50 for every customer?
br,
OLLI
11-30-2014 12:42 PM
The behavior with security-levels is the same in all ASAs.
You can give many interfaces the same security-level. But if they need to communicate with each other, you have to configure "same-security-traffic permit inter-interface". And you should put ACLs on all interfaces that only allow the needed traffic. But that's best practice anyway.
11-30-2014 01:49 PM
Thanks a lot for quick reply, you rule! :)
Now I have acl for every interface and got all working!
wbr,
OLLI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide