04-02-2013 10:58 PM - edited 03-12-2019 06:04 PM
I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
Can anyone tell me why such a deny any any rule would not be taking effect? I'm sure I'm missing something simple, but whatever it is is escaping me.
-----------------
show ver
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2)
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"
Config file at boot was "startup-config"
show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside up Et0/1, Et0/2, Et0/3, Et0/4
Et0/6, Et0/7
2 outside up Et0/0
3 dmz up Et0/5
interface Ethernet0/0
description outside
switchport access vlan 2
!
interface Ethernet0/1
description inside
interface Ethernet0/5
switchport access vlan 3
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
description DMZ
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
object network mc_server
host 63.223.117.170
object-group service Mumble tcp-udp
description Mumble VOIP protocol
port-object eq 64738
access-list outside_access_in extended deny ip any any
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any4 object webserver_smtp eq smtp
access-list outside_access_in extended permit tcp any4 object webserver_smtp object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any4 object webserver_ssh_host eq ssh
access-list outside_access_in extended permit object xbox_udp_88 any4 object xbox_port_88
access-list outside_access_in extended permit object xbox_tcp_3074 any4 object xbox_tcp_port_3074
access-list outside_access_in extended permit object xbox_udp_3074 any4 object xbox_udp_port_3074
access-list outside_access_in extended permit tcp any4 object Tower_SSH eq ssh
access-list outside_access_in extended permit ip any4 object xbox
access-list outside_access_in extended permit ip object mc_server any
access-list outside_access_in extended deny object-group TCPUDP any any4 object-group Mumble
nat (dmz,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz in interface dmz
04-02-2013 11:07 PM
Hello Wade,
So are you telling that traffic is being accepted?
Regards
04-02-2013 11:10 PM
Hi,
If the Mumble is anything like Teamspeak I would imagine that the hosts application connects to a remote server and there isnt actually connections taken from "outside" to "inside".
Have you tried blocking this in the "inside" ACL so that the connections are never allowed to form through the firewall?
If the firewall allows the user to form the connection through once then the return traffic is allowed automatically (for that same connection that is) and the "outside" ACL will not be applied to that traffic as it has already been allowed by the "inside" ACL.
- Jouni
04-03-2013 05:10 AM
JouniForss wrote:
Have you tried blocking this in the "inside" ACL so that the connections are never allowed to form through the firewall?
If the firewall allows the user to form the connection through once then the return traffic is allowed automatically (for that same connection that is) and the "outside" ACL will not be applied to that traffic as it has already been allowed by the "inside" ACL.
- Jouni
Agreed. I do have
access-list inside_access_in remark Allow mumble traffic only to our own server
access-list inside_access_in extended permit object-group TCPUDP any object mc_server object-group Mumble
access-list inside_access_in extended deny object-group TCPUDP any any object-group Mumble
access-list inside_access_in extended permit ip any any
In doing some more testing though, it appears the answer is it will be nearly impossible to block.
It connects to a web server to determine the IP addresses of available servers. It then establishes a connection with that server. The server may be running on any port. Using the information it learns from the web server, the client opens TCP and UDP connections. But, since there's no guarantee what port(s) will be used, the only solution is to block access to the web server, which blocks access to all servers. I was attempting to block access to all but one, but it appears that's not possible.
04-03-2013 05:15 AM
Hi,
It would seem to me that the program must use some other ports than the ones you have defined if it still gets through.
Maybe you should run Wireshark on your computer or on the ASA to see what connections the host computer actually forms when Mumble is used. And use that information to update the "deny" rule.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide