11-16-2010 06:21 AM - edited 03-11-2019 12:10 PM
This is a fairly simple question and i'm sure there is a fairly simple answer but for whatever reason I can't seem to get ICMP blocked properly on my external interface of my ASA. I obviously don't want my external interface to be pingable but no matter what i configure in the ACL I am still able to ping the outside IP from outside of our network.
external ip is xxx.xxx.xxx.178.
What is the easiest, best practice way to accomplish this?
11-16-2010 07:15 AM
ACLs applied to the ASA only affect Transient traffic. To block ICMP *to* the interface, use the 'icmp' command.
icmp deny any
Example:
icmp deny any outside
11-16-2010 08:39 AM
fantastic! that worked like a charm!
Now I have another question:
because of a recent ISP/IP naming scheme change we have had to NAT our internal exchange server to a public IP address in a block that was provided to us.
Because of this NATing, even though the server is behind the firewall it appears to the outside world as though it is external. Meaning that when I run a port/ping scan on it for security from the outside the following happens:
I get a ping reply, obviously this must be stopped it is a major security hole. So I need to know how to go about blocking ICMP requests for this nated address.
secondly a few ports show as open to the outside world
25
54
80
135
139
443
593
691
1025
1026
I'm sure that some of these ports need to be open, like the smtp port or the port 691 for ms exchange routing but my question is overall what would be the best practice to properly secure this server and make sure it isn't security compromised.
I'm using the GRC Shields up port scanner and when I run the scan from anything else in the company (servers/workstations) the regular external ip of the firewall shows up, and everything passes perfectly. All ports are in stealth mode and there is no packet or icmp replies.
But when i run the scanner on the mail server with the nat rule nothing is stealthed, instead most of the ports are just blocked, with the exception of the ones mentioned above being open and the icmp reply.
11-16-2010 12:16 PM
You can block these packets on your access-list that is applied on your outside.
access-list
line 1 deny icmp any xxx.xxx.xxx.178 access-list
line 1 deny tcp any xxx.xxx.xxx.178 eq access-list
line 1 deny tcp any xxx.xxx.xxx.178 eq ...
Let us know if it fixes the issue.
PK
11-16-2010 02:30 PM
Interface ACLs are used to permit/deny transient traffic through the ASA. Therefore, if you scanner is showing TCP ports as being open, then you must have an ACL applied to your interface that is permitting the traffic. You can use the "Packet Tracer" tool in ASDM (or the CLI) if you need help locating which entry in the ACL is permitting the traffic.
As for security, only permit the ports which are required to provide the service you are offering up.
Sincerely,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide