05-24-2022 11:06 PM
Hi all,
My organisation shared some hardening points for Cisco ASA firewall and wants to implement them. Basically i need to know the impact of that command in production environment.
1) Point : Ensure 'noproxyarp' is enabled for untrusted interfaces
Command suggested : HOSTNAME(CONFIG)# SYSOPT NOPROXYARP _<untrusted_interface_name> _
My Concern : Does executing this command on outside interface would impact any Natted traffic configured from inside to outside or outside to inside
2) Point : Ensure ICMP is restricted for untrusted interfaces
Command suggested : ICMP PERMIT _<subnet> <mask> <untrusted_interface_name>_
My Concern : Does executing this command disable any internet facing sites/applications or reachable via outside interface icmp packet drop from Asa and from outside world to Asa interface.
3) Point : Ensure packet fragments are restricted for untrusted interfaces
Command suggested : HOSTNAME(CONFIG)#FRAGMENT CHAIN 1 _<interface_name> _
My Concern : Would it impact/drop any kind of traffic going via that interface if certain amount of packet/fragment have been achieved
05-25-2022 01:03 AM - edited 05-25-2022 01:05 AM
sysopt noproxyarp:
The firewall builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the firewall has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the firewall. This is done only when troubleshooting or solving network connectivity problems.
The arp command is used to add a permanent entry for host on a network. If one host is exchanged for another host with the same IP address then the "clear arp" command can be used to clear the ARP cache on the PIX. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.
The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).
The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.
ICMP PERMIT _<subnet> <mask> <untrusted_interface_name>_
like below command :- hostname(config)# icmp permit host 10.1.1.15 outside
it means you are allowing ping for internal network to outside means for ICMP.
HOSTNAME(CONFIG)#FRAGMENT CHAIN 1 _<interface_name> _
PIX allows a large packet to be fragmented into 24 fragments. By default, the fragmentation limit is 24. By the command fragment chain 1 outside, you have specified that " do not allow any fragmented packets".
no fragment chain 1 outside
This should allow up to 24 fragmented packets on the interface.
Show fragment command.
You will have to disable fragmentation in case you are trying to access NAS servers. Otherwise, having fragmented packets will not have any risk.
Thanks,
Jitendra
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide