ASA5510 - 8.4(5) Filtering self generated flows

sofyan.lamkadmi · ‎02-05-2014

Dear all,

I am currently filtering in flows through the use of ACLs. However, I need to filter flows I do originate from my ASA appliance as well.

Ex : I want the ASA to be able to ping DEVICE1 but not DEVICE2.

I've investigated three ways to do that but without any successful results :

- route-map (cannot apply globally or locally on an interface like on a switch)

- ACL out (but block my flows allowed in. ex : ping is able from subnet connected to interface A to subnet connected to interface B. If I do apply an output ACL rule to interface B allowing AS to ping subnet B with a deny any at the end of the rule, it blocks flows from A to B unless I do add all flows authorized in interface A ACL to interface B ACL out)

- Global ACL : not a solution as only applied to inbound direction

- service-policy : not action to deny

Does anyone has a solution for this ? Is there a function for that ?

Thanks for your help.

Sofyan

Jouni Forss · ‎02-05-2014

Hi,

The interface ACLs on the ASA tend to only control traffic "through the box" rather the "to the box"

There is an option to configure ACLs that are attached with the parameter "control-plane" but this only controls traffic "inbound" to the ASA itself and therefore does not limit connections from the ASA. I could for example deny all traffic inbound to the ASA but I could still ping the DNS server either with ICMP or TCP PING from the ASA.

If your aim was only to limit ICMP related traffic then you have another option though.

You could use the "icmp" command. To my understanding this doesnt really give you the flexibility of ACL configuration so you might have to redo the configuration completely every time you need to make a change (since you cant add the new configurations in between new ones.

For example I have gateway IP address 10.0.10.1 and 10.0.0.1 behind my ASA. If I would want to allow ICMP from the ASA to 10.0.10.1 but not from 10.0.0.1 then I could configure this

icmp permit host 10.0.10.1 echo-reply LAN

icmp deny any LAN

In the above the LAN is my LAN interfaces "nameif" on the ASA

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA(config)# ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

If I remove the configurations then they both reply

ASA(config)# clear configure icmp

ASA(config)# ping 10.0.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA(config)# ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Though the thing that ASA naturally does in the first example is that it just denied ICMP Echo reply messages from all but one source address. So you allow the ICMP Echo replys from where you want and block all the rest.

Hope this helps

- Jouni

sofyan.lamkadmi · ‎02-05-2014

Hi Jouni,

Thanks for your reply. Unfortunately, I do need to block TCP/UDP flows.

S.

Jouni Forss · ‎02-05-2014

Hi,

Can you clarify the situation where the ASA will generate TCP/UDP flows itself?

What would you want to limit?

- Jouni

sofyan.lamkadmi · ‎02-05-2014

ex :

I only want to authorize snmp v3 + tftp + icmp to few hosts.