Solved: The behavior with security

ohenttonen · ‎11-30-2014

Hi,

I need to connect/protect interfaces with access-list and there i have some problems that i cannot solve, getting syn attac:

Interfaces have same or different security-levels, but i don't use same-security-traffic permit inter-interface, because i don't wan't communication without ACL.

Below is some of the configuration, now it uses any any for inside and guest interfaces inbound, but with that i cannot access from guest to inside (if i enable same-security.. then i can connect). I need to get configuration to connect between interfaces with ACL?

For example, i need configuration that does:

-enable guest users to access QNAP for port 80

-disallow inside to guest and guest to inside

-allow internet access for all

interface Vlan1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan2
nameif inside
security-level 10
ip address 172.16.1.1 255.255.255.0
!
interface Vlan10
nameif guest
security-level 10
ip address 10.1.2.1 255.255.255.0
!

object network QNAP
host 172.16.1.5

access-list inside_access_in extended permit ip any any
access-list guest_access_in extended permit ip any any

object network obj_guest
nat (guest,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside
access-group guest_access_in in interface guest

Wbr,

OLLI

Karsten Iwen · ‎11-30-2014

If you don't want to use "same-security ..." then you have to configure your inside interface with a higher security level. The "typical" security-level for inside is "100". But you still need an ACL like the following on the inside interface to restrict you inside users from accessing the guest-network:

access-list inside_access_in deny ip any object obj_guest
access-list inside_access_in permit ip any any

Your guest-interface just needs an ACL

access-list guest_access_in permit tcp object obj_guest object QNAP eq 80
access-list guest_access_in deny   ip  any YOUR-INSIDE-NETWORK
access-list guest_access_in permit ip  object obj_guest any

And what kind of syn-attacks do you have that you are mentioning?

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

Karsten Iwen · ‎11-30-2014

The behavior with security-levels is the same in all ASAs.

You can give many interfaces the same security-level. But if they need to communicate with each other, you have to configure "same-security-traffic permit inter-interface". And you should put ACLs on all interfaces that only allow the needed traffic. But that's best practice anyway.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

Karsten Iwen · ‎11-30-2014

If you don't want to use "same-security ..." then you have to configure your inside interface with a higher security level. The "typical" security-level for inside is "100". But you still need an ACL like the following on the inside interface to restrict you inside users from accessing the guest-network:

access-list inside_access_in deny ip any object obj_guest
access-list inside_access_in permit ip any any

Your guest-interface just needs an ACL

access-list guest_access_in permit tcp object obj_guest object QNAP eq 80
access-list guest_access_in deny   ip  any YOUR-INSIDE-NETWORK
access-list guest_access_in permit ip  object obj_guest any

And what kind of syn-attacks do you have that you are mentioning?

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

ohenttonen · ‎11-30-2014

Hi

Thanks, it really was years when i last used asa's ACL's because i remembered rules wery much other way, that why it wasn't working. Now it works.

But it won't work, if my inside interface is same security-level, when i rise it to default 100 (which i usually use) i get traffic filtered to allow spesific server/port and deny rest and still go to internet, as you wrote! Is this only default behaviour of ASA5505 and this is not same with bigger ASA5510/5512?

There i get this syn (really ftp traffic, but allowing IP in rule)when accessing from inside to guest, from guest to inside rdp traffic flows correctly??:

2

Nov 30 2014

21:25:53

106001

172.16.1.108

57293

10.1.2.102

2123

Inbound TCP connection denied from 172.22.82.108/57293 to 10.1.2.102/2123 flags SYN on interface inside

Second scenario, because my firewall what i'm planning to use another place is ASA5512-x and there is multiple vlans, different customers. How you suggest i should use security-levels of interfaces, can they be same like 50 for every customer?

br,

OLLI

Karsten Iwen · ‎11-30-2014

The behavior with security-levels is the same in all ASAs.

You can give many interfaces the same security-level. But if they need to communicate with each other, you have to configure "same-security-traffic permit inter-interface". And you should put ACLs on all interfaces that only allow the needed traffic. But that's best practice anyway.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

ohenttonen · ‎11-30-2014

Thanks a lot for quick reply, you rule! 🙂

Now I have acl for every interface and got all working!

wbr,

OLLI

ASA v9.2.2.4 connecting between interfaces?