ASA5520 ACL established connections problem

duran_tci · ‎01-17-2012

Hello,

I have one ASA5520 with version 8.4(3), and a few ACL rules defined. One ACL is permit traffic from one interface(EXT_SERVICE) to another interface(DMZ_SERVICE), if i change that rule to deny traffic, all new connections that match the rule is denied, but no the established connectios. ¿Why the established connections can pass the deny rule? ¿How I can change that? I need create a ACL with deny type and stop all comunications that is running and match the deny rule.

Thanks for help!!

Running-config of my ASA5520:

------------------------------------------------

ciscoasa# show run

: Saved

:

ASA Version 8.4(3)

!

hostname ciscoasa

enable password 8ay2wjIyt7RRXU24 encrypted passwd 2wFQnbNIdI.2KYtU encrypted names !

interface GigabitEthernet0/0

description TRUNK 0A 1/2

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

description TRUNK 0A 2/2

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

description TRUNK 1A 1/2

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

description TRUNK 0A 2/2

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

description TRUNK 1A 1/2

channel-group 2 mode active

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description TRUNK 1A 2/2

channel-group 2 mode active

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management-ha

security-level 100

ip address 192.168.199.223 255.255.255.0 !

interface Port-channel1

nameif TRUNK_0A

security-level 0

no ip address

!

interface Port-channel1.21

vlan 21

nameif DMZ_EXPLO

security-level 70

ip address 192.168.21.223 255.255.255.0 !

interface Port-channel1.31

vlan 31

nameif EXT_EXPLO

security-level 0

ip address 192.168.3.223 255.255.255.0 !

interface Port-channel2

nameif TRUNK_1A

security-level 0

no ip address

!

interface Port-channel2.11

vlan 11

nameif INTERNA

security-level 90

ip address 192.168.11.223 255.255.255.0 !

interface Port-channel2.22

vlan 22

nameif DMZ_SERVICE

security-level 70

ip address 192.168.22.223 255.255.255.0 !

interface Port-channel2.32

vlan 32

nameif EXT_SERVICE

security-level 0

ip address 192.168.1.151 255.255.255.0 !

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 object network GW-SERVICE host 192.168.1.200 description Xircom access-list DMZ_SERVICE_access_out extended permit ip any any inactive access-list DMZ_SERVICE_access_out extended deny ip any any access-list DMZ_SERVICE_access_in extended permit ip any any inactive access-list DMZ_SERVICE_access_in extended deny ip any any access-list EXT_SERVICE_access_in extended permit ip any any inactive access-list EXT_SERVICE_access_in extended deny ip any any access-list EXT_SERVICE_access_out extended permit ip any any inactive access-list EXT_SERVICE_access_out extended deny ip any any access-list global_mpc extended permit ip any any access-list default standard deny any pager lines 24 logging enable logging asdm informational mtu management-ha 1500 mtu TRUNK_0A 1500 mtu DMZ_EXPLO 1500 mtu EXT_EXPLO 1500 mtu TRUNK_1A 1500 mtu INTERNA 1500 mtu DMZ_SERVICE 1500 mtu EXT_SERVICE 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-647.bin no asdm history enable arp timeout 14400 access-group DMZ_SERVICE_access_in in interface DMZ_SERVICE access-group DMZ_SERVICE_access_out out interface DMZ_SERVICE access-group EXT_SERVICE_access_in in interface EXT_SERVICE access-group EXT_SERVICE_access_out out interface EXT_SERVICE route EXT_SERVICE 0.0.0.0 0.0.0.0 192.168.1.200 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 EXT_SERVICE no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 84.88.69.32 source EXT_SERVICE prefer ntp server 130.206.3.166 source EXT_SERVICE prefer ntp server 93.92.239.129 source EXT_SERVICE ntp server 212.36.75.245 source EXT_SERVICE

webvpn

!

class-map global-class

match access-list global_mpc

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect im im

parameters

match protocol msn-im yahoo-im

drop-connection log

policy-map type inspect ipv6 ipv6

parameters

match header routing-type range 0 255

policy-map global-policy

class global-class

inspect ctiqbe

inspect dcerpc

inspect dns

inspect esmtp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect icmp

inspect icmp error

inspect ils

inspect ip-options

inspect ipsec-pass-thru

inspect mgcp

inspect netbios

inspect pptp

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect snmp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect waas

inspect xdmcp

class class-default

inspect ftp

!

service-policy global-policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:23a90a41872bc184caa246b8848b4183

: end

ciscoasa#

Julio Carvajal · ‎01-17-2012

Hello Andres,

As you know the ASA is a stateful firewall that does deep packet inspection (DPI) the thing here is that from a higher security level to a lower security level all traffic is permitted no matter what, so you already denied traffic from

EXT_SERVICE to DMZ_SERVICE but all traffic innitiated from DMZ as its a higher security level interface will be allowed, then the Response from the EXT_SERVICE host will be check by the ASA on its connection and xlate table and the packet will match a connection there so it will bypass the ACL (STATEFUL inspection).

Let me know if this makes it clear.

Regards,

Julio

Please rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

duran_tci · ‎01-17-2012

Thanks for this response now I can see the real problem. But ¿how I can correct this? I need a method to block the established connections with an ACL rule.

If I put EXT_SERVICE and DMZ_SERVICE with the 'security-level 0' and 'same-security-traffic permit inter-interface', perhaps the ACL rule works too for the established connections? Or this issue has not a simple correction?

Thanks for your help Julio!

Best Regards

Pavel Pokorny · ‎01-17-2012

Hi,

If I undrestand well, you want to be sure (after ACL implementation), that no present connection will flow.

Then there 2 ways to do it (as far as I know)l. Clear XLATE, or clear conn address (with parametr :

Enter an IP address or a range of IP addresses: [-]).

HTH

Pavel

Please rate helpful posts!

duran_tci · ‎01-17-2012

Thanks for this response Pavel! Affirmative, 'clear conn address' block the connection, but I need other automatic mechanism of block the established connections that match the deny rule, when I put the deny rule in the ACL list.

Pavel Pokorny · ‎01-17-2012

Not at all Andres,

So, you have to use another way of working.

First disable everything and then allow service by service (between addresses) as needed.

This is the way, you will never have problem, you mentioned.

Because editing of ACL doesn't affect already established connections.

HTH

Pavel

duran_tci · ‎01-17-2012

Ok Pavel,

I am try to do that you said, but it doesn't work as I spected, sorry for my error and please if you know a document to explain me how do that better than I was do please let me it and I will try

I have these rules:

access-list DMZ_SERVICE_access_out extended permit tcp any any eq ssh

access-list DMZ_SERVICE_access_out extended deny ip any any

access-list DMZ_SERVICE_access_in extended permit tcp any any eq ssh

access-list DMZ_SERVICE_access_in extended deny ip any any

access-list EXT_SERVICE_access_in extended permit tcp any any eq ssh

access-list EXT_SERVICE_access_in extended deny ip any any

access-list EXT_SERVICE_access_out extended permit tcp any any eq ssh

access-list EXT_SERVICE_access_out extended deny ip any any

access-list global_mpc extended permit ip any any

access-list default standard deny any

Ok, Now I'm simulating a hacker that connect over ssh to one host in DMZ_SERVICE network, connect to that host over ssh, and while the ssh connection is running I write this to the ASA:

access-list EXT_SERVICE_access_in line 1 extended permit tcp any any eq ssh inactive

access-list DMZ_SERVICE_access_in line 1 extended permit tcp any any eq ssh inactive

access-list DMZ_SERVICE_access_out line 1 extended permit tcp any any eq ssh inactive

access-list EXT_SERVICE_access_out line 1 extended permit tcp any any eq ssh inactive

The ssh connection is still alive

Sorry if I wasn't understand your advice. Please coud you explain me the method of cut the stablished malicious established connections?

I see that if I define a 'Service Police Rule' the ping(icmp traffic) is blocked with the ACL change to deny.

class-map global-class1

match default-inspection-traffic

policy-map global-policy

class global-class1

inspect icmp

¿Perhaps is the this the way?

Pavel Pokorny · ‎01-17-2012

Hi Andres,

Please coud you explain me the method of cut the stablished malicious established connections?

Through CLI of ASA, or ASDM where you put command clear connection ............

This is the only way I know.

About the ping (IMHO) it's another situation, because for each echo-request is echo-reply (as pair). For ping 1 is pair 1 and "established connection" 1. For another just change numbers. If you change to deny pings are then denied. It doesn't work with "normal" connection as ssh.

Regards

Pavel

duran_tci · ‎01-17-2012

Hello Pavel,

I use CLI for the command clear conn ... and I use ASDM for input ACL rules (ASDM only for usability). I have two monitors one with the ASDM and other with the CLI over serial RS232 cable.

For the ping question you are in true, is another situation. ¿Any idea or help for this situation?

Really thanks for your help!

Regards!

Julio Carvajal · ‎01-17-2012

Hello Andres,

The thing is that as soon as the ASA knows a valid connection is established the only way to drop it as Pavel said would be with a clear connection for that particular session.

As an example you can kill a ssh session with the command Kill xxx (Session id) into the ASA.

What you can configure is a Iddle timeout,maximum amount of connections to a host,etc.

But as soon as the connection is valid by the ASA you cannot terminated it by using an ACL.

Regards,

Julio

Please rate post that helps you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC