07-14-2014 06:08 PM - edited 03-11-2019 09:28 PM
Hello,
I setup my ASA5505 to get the public IP address from the outside/wan ( my cable provider via DHCP) interface 0/0 on vlan 90 and the inside interface gives dhcp addresses to my local lan. I have denied all the traffic on the outside interface coming in and allowed domain/http/https from the inside to anywhere.
I ran the packet tracer and I noticed that if the traffic comes from any ip on the outside targeting UDP port 68 or 67 (broadcast traffic) is allowed and I see the packets being built even tho my outside ACL is deny any any - not sure how to resolve the issue as I gave up on all the solutions :/
interface Ethernet0/0
*outside facing the internet*
switchport access vlan 90
!
interface Ethernet0/1
*inside*
switchport access vlan 50
interface Vlan50
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Vlan90
description OUTSIDE to Internet
nameif outside
security-level 0
ip address dhcp setroute
dhcpd address 192.168.50.101-192.168.50.202 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
packet-tracer input outside udp 150.50.50.50 1234 255.255.255.255 68 detailed
Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca2a13a0, priority=13, domain=punt, deny=false
hits=3, user_data=0xca2a1430, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca2830b0, priority=1, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow
This should not be allowed as I have a deny any any on the outside interface
07-14-2014 11:25 PM
Hi,
Can you show the actual "access-list" and "access-group" configurations?
show run access-list
show run access-group
My own ASA 5505 running 8.4(5) blocks the above mentioned "packet-tracer" output. I wonder if its in any way related to the WAN interface being set as a DHCP Client? Though if I am not wrong the port UDP/68 should only be destination port for connections to the DHCP server.
Have you tried to make a separate ACL and attach it to the WAN interface as a "control-plane" ACL that blocks/permits traffic to the actual ASA interface?
You attach it to the interface with the command
access-group <acl name> in interface <interface name> control-plane
You can naturally have a normal interface ACL that controls traffic "through the box" and a "control-plane" ACL that controls traffic "to the box".
- Jouni
07-15-2014 09:27 AM
Hello,
I have tried to put the control plane acl but without any luck, this is driving me crazy as I feel someone can run a dhcp attack and my firewall will build those msgs, I don't even see the hits when I run the packet tracer on the new ACL, here is my config:
If I remove the ip address dhcp setroute then everything is normal, not sure if its even possible to block this type of traffic
object network INSIDE-NETWORKS
subnet 192.168.50.0 255.255.255.0
object-group service MY-PORTS
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
access-list inside_acl extended permit object-group MY-PORTS object INSIDE-NETWORKS any
access-list inside_acl extended permit ip object INSIDE-NETWORKS object INSIDE-NETWORKS
access-list outside_acl extended deny ip any any
**new control plane acl**
access-list cpl-acl; 1 elements; name hash: 0xe068185
access-list cpl-acl line 1 extended deny udp any any log informational interval 300 (hitcnt=0) 0xcfe2e0a1
access-group inside_acl in interface inside
access-group outside_acl in interface outside
access-group cpl-acl in interface outside control-plane
07-15-2014 12:53 AM
Hi,
I believe this is because of the ip address dhcp enabled on the outside interface. I do not get such packet-tracer output in a statically assigned environment. But if you apply the ACL to the control-plane it is applicable to the box which might affect the dhcp assignment to your Outside interface.
UDP port number 67 is the destination port of a server & UDP port number 68 is used by the client.
Regards
Karthik
07-15-2014 09:30 AM
Yes I tested on another ASA that has a static IP and the traffic is dropped - I don't like the fact that those broadcast messages are being built even tho I am blocking everything, hence someone could use my ip as a target for dhcp attacks if they spoof their source
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide