Cisco Asa Audit Point

sv7 · ‎05-24-2022

Hi all,

My organisation shared some hardening points for Cisco ASA firewall and wants to implement them. Basically i need to know the impact of that command in production environment.

1) Point : Ensure 'noproxyarp' is enabled for untrusted interfaces

Command suggested : HOSTNAME(CONFIG)# SYSOPT NOPROXYARP _<untrusted_interface_name> _

My Concern : Does executing this command on outside interface would impact any Natted traffic configured from inside to outside or outside to inside

2) Point : Ensure ICMP is restricted for untrusted interfaces

Command suggested : ICMP PERMIT _<subnet> <mask> <untrusted_interface_name>_

My Concern : Does executing this command disable any internet facing sites/applications or reachable via outside interface icmp packet drop from Asa and from outside world to Asa interface.

3) Point : Ensure packet fragments are restricted for untrusted interfaces

Command suggested : HOSTNAME(CONFIG)#FRAGMENT CHAIN 1 _<interface_name> _

My Concern : Would it impact/drop any kind of traffic going via that interface if certain amount of packet/fragment have been achieved

Jitendra Kumar · ‎05-25-2022

sysopt noproxyarp:

The firewall builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the firewall has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the firewall. This is done only when troubleshooting or solving network connectivity problems.
The arp command is used to add a permanent entry for host on a network. If one host is exchanged for another host with the same IP address then the "clear arp" command can be used to clear the ARP cache on the PIX. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.
The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).

The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.

ICMP PERMIT _<subnet> <mask> <untrusted_interface_name>_
like below command :- hostname(config)# icmp permit host 10.1.1.15 outside
it means you are allowing ping for internal network to outside means for ICMP.

HOSTNAME(CONFIG)#FRAGMENT CHAIN 1 _<interface_name> _
PIX allows a large packet to be fragmented into 24 fragments. By default, the fragmentation limit is 24. By the command fragment chain 1 outside, you have specified that " do not allow any fragmented packets".
no fragment chain 1 outside
This should allow up to 24 fragmented packets on the interface.
Show fragment command.
You will have to disable fragmentation in case you are trying to access NAS servers. Otherwise, having fragmented packets will not have any risk.

Thanks,

Jitendra

Thanks,
Jitendra