05-08-2013 07:56 PM - edited 03-11-2019 06:41 PM
As i know that internal user can browser internet web page that prove the traffic can come back to internal network even access-list with deny any statement.
Is it the ASA with CBAC enable automatically or the traffic can come back due to dynamic NAT translation table?
Solved! Go to Solution.
05-08-2013 09:14 PM
Hello Chun,
CBAC: Classic Firewall feature for the IOS router
ASA: Adaptive Security Appliance
One is a feature for an IOS router , the other one is a dedicated device.
What you are talking about it's regarding the stateful purpose, and yes the ASA will deny by default traffic from a lower security level to a higher security level due to the security algorithm, while connections from the inside to the outside and their respective returning traffic WILL be Allowed
Regards,
Julio Carvajal
05-08-2013 09:14 PM
Hello Chun,
CBAC: Classic Firewall feature for the IOS router
ASA: Adaptive Security Appliance
One is a feature for an IOS router , the other one is a dedicated device.
What you are talking about it's regarding the stateful purpose, and yes the ASA will deny by default traffic from a lower security level to a higher security level due to the security algorithm, while connections from the inside to the outside and their respective returning traffic WILL be Allowed
Regards,
Julio Carvajal
05-10-2013 08:52 AM
CBAC is IOS firewall in order to enable stateful inspection.
ASA itself is enabled with stateful inspection feature.
05-10-2013 10:49 AM
Hi Mohit,
I have a doubt here as I am configuring an ASA at the moment. The very basic configuration comes with filters from less security level to higher security level interfaces. only traffic from higher security level to lower security inspected is allowed, i.e. by default icmp packets are not inspected so ping will fail from inside network to dmz network.
Problem comes when you want to start doing more than the default firewalling and you add an ACL to create an exception, just for testing purposes I created an ACL from inside to dmz to allow icmp packets, by the implicit deny everything else will be discarted. My surprise is that once you create an ACL the inspection is not working anymore, and even not having icmp protocol inspected in the policy rule, ping is allowed whereas with the original config, ping is denied if is not inspected.
Why are you saying ASA itself is enabled with stateful inspection? I expected even having the ACL enabling icmp the packets would be dropped as they are not inspected, otherwhise:
Aren't we coming back around 15 years ago with the ACL only filtering?
Why the security levels if the most simple ACL removes them all?
Am I missing something?
Thanks,
Juan
05-10-2013 11:18 AM
Hi,
Problem comes when you want to start doing more than the default firewalling and you add an ACL to create an exception, just for testing purposes I created an ACL from inside to dmz to allow icmp packets, by the implicit deny everything else will be discarted. My surprise is that once you create an ACL the inspection is not working anymore, and even not having icmp protocol inspected in the policy rule, ping is allowed whereas with the original config, ping is denied if is not inspected.
To my understanding by default ICMP will fail in the situation where you only have "security-level" in use OR you have an ACL allowing ICMP from the LAN to the WAN. To my understanding in either previously mentioned cases you need ICMP inspection to enable the Echo Reply messages to get through the firewall. Otherwise you have to allow ICMP Echo-reply on the WAN interface ACL of the ASA. So to me the ACL doesnt disable the inspection even if you allow the ICMP traffic on the ACL of the LAN interface.
Its been my understanding that the "security-level" value plays a role in simple network implementations but is not really used in any more complex setups as its logic simply isnt enough to meet the needs of those.
But at some point you are still going to want to limit some connections that should go through the firewall. For example limit SMTP, DNS, FTP, HTTP, Backup traffic, etc to certain destination services and that is when you need ACLs to control the traffic.
Going only with the "security-level" you are really limited to access rules that work with the logic "Allow everything or Deny everything" which isnt really usefull in the environments that I manage for example.
Using the ACL on the interface doesnt to my understanding mean that ASA will simply forget the state of the connections. For example for TCP connections it should still expect the TCP negotiation to go through the normal steps. It also expects that if traffic comes to the firewall which is supposedly part of an existing connection THAT the ASA indeed has the information of that connection in its connection/xlate table or it will simply block this traffic. To my understanding a simple Router wont care about this (though there is the "established" parameter)
I am not sure about the history if the "security-level". But to be honest for me it doesnt mean much when configuring the firewall. Most of the time it seems to be the cause of a problem for some users that dont know how the different interfaces with varying "security-level" handle traffic between them. You will still need other condifurations to allow traffic to enter and leave the same interface and also traffic to go through if the source/destination interfaces have equal "security-level"
- Jouni
05-10-2013 11:28 AM
Hi Jouni thanks for quick reply,
That was my initial thought, I am new in the ASA world, so my impression was that ACL was evaluated first, then if traffic is allowed the inspection takes place, but as said that is what I did and what confused me:
my question is am I missing something? I thought inspection default with global policy map was always applied... I expected ping being dropped. I am using asdm packet-tracer tool to check the conectivity...
Thanks again,
Juan
05-10-2013 11:48 AM
Hi,
Example from my own home ASA
LAN (100) and WLAN (50) interface
LAN interface has an ACL that permits all traffic
WLAN interface doesnt have any ACL, just the "security-level"
So the correct is either to allow ICMP on the WLAN interface with an ACL or enable the ICMP Inspection again.
To my understanding if there is no ACL on the destination interface and ICMP inspection is not enabled the ICMP Echo should get blocked.
- Jouni
05-10-2013 12:12 PM
Your were right, with real pings traffic seems to be filtered properly, just the packet tracer only showed one direction, not the come back.
Thanks,
Juan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide