Probably stupid error with Security Level on ASA 5505 8.3.1

richard-widmer · ‎04-06-2011

I am having a problem with security levels on my ASA-5505 with 8.3.1 installed.

Specifically I am trying to make a http connection from a host at IP 192.168.2.108 connected to 
Vlan20 (Public) security-level 50 IP 192.168.2.1, to an external web host at 204.228.229.22 via 
Vlan1 (Cox) security-level 0.

If I add  'access-list global_access extended permit ip any any'   I am able to connect.  Without 
this access rule the implicit  'access-list global_access deny ip any any' causes the connection 
to be denied.  I realize this is not a good long term solution!

I thought that the implicit 'access-list Public_access permit ip any any-less-secure' rule was 
supposed to allow all traffic initiated from the Public Vlan (security-level 50) to connect to 
the Cox vlan (security-level 0) which connects to my ISP.

I believe routing, DNS and NAT are set up correctly since I can explicitly allow the traffic.

Is this a problem with my configuration or my expectations?


Thanks,
Rick


Here is my configuration with the 'access-list global_access extended permit ip any any' rule enabled:

: Saved
:
ASA Version 8.3(1) 
!
hostname asa
domain-name haileypubliclibrary.org
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif Cox
 security-level 0
 ip address dhcp setroute 
!
interface Vlan2
 nameif SolutionPro
 security-level 0
 no ip address
!
interface Vlan10
 nameif Staff
 security-level 99
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan20
 nameif Public
 security-level 50
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan30
 nameif WiFi
 security-level 50
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan40
 nameif DMZ
 security-level 10
 ip address 192.168.4.1 255.255.255.0 
!
interface Vlan50
 nameif Maint
 security-level 100
 ip address 192.168.5.1 255.255.255.0 
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 10
!
interface Ethernet0/2
 switchport access vlan 20
!
interface Ethernet0/3
 switchport access vlan 30
!
interface Ethernet0/4
 switchport access vlan 40
!
interface Ethernet0/5
 switchport access vlan 50
!
interface Ethernet0/6
 switchport access vlan 50
!
interface Ethernet0/7
 switchport access vlan 2
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name haileypubliclibrary.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network Public-NAT 
 subnet 192.168.2.0 255.255.255.0
object network Staff-NAT 
 subnet 192.168.1.0 255.255.255.0
object network WiFi-NAT 
 subnet 192.168.4.0 255.255.255.0
access-list global_access remark Allow ping everywhere
access-list global_access extended permit icmp any any echo 
access-list global_access remark Allow ping everywhere
access-list global_access extended permit icmp any any echo-reply 
access-list global_access remark Allow traceroute
access-list global_access extended permit icmp any any traceroute 
access-list global_access extended permit ip any any 
pager lines 24
logging enable
logging asdm debugging
mtu Staff 1500
mtu Cox 1500
mtu Public 1500
mtu WiFi 1500
mtu Maint 1500
mtu SolutionPro 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network Public-NAT
 nat (any,Cox) dynamic interface
object network Staff-NAT
 nat (any,Cox) dynamic interface
object network WiFi-NAT
 nat (any,Cox) dynamic interface
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 Public
http 192.168.5.0 255.255.255.0 Maint
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Cox
dhcpd dns 192.168.2.4
dhcpd domain haileypubliclibrary.org
dhcpd auto_config Staff
!
dhcpd address 192.168.1.200-192.168.1.209 Staff
!
dhcpd address 192.168.2.100-192.168.2.149 Public
dhcpd enable Public
!
dhcpd address 192.168.3.100-192.168.3.199 WiFi
dhcpd enable WiFi
!
dhcpd address 192.168.5.100-192.168.5.199 Maint
dhcpd enable Maint
!
dhcpd address 192.168.4.200-192.168.4.209 DMZ
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.4 source Public prefer
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
hpm topN enable
Cryptochecksum:4a43dd1e3d8fa2437682e089376d0a28
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

csaxena · ‎04-06-2011

Hello Richard,

Ideally for connection from higher security level to lower level (192.168.2.x(50) to Internet(0)), we don't need an access-list. But as per the config, you have access-list "global-access" global to the ASA. Thus, allowing IP any any allows traffic on Public Interface and thus connection estabilishes.

- We can either add a specific access-list on Public interface saying IP any any and this will overide the global access list

Config will look like :

- access-list public_access_out permit ip any any

- access-group public_access_out in interface public

- Or remove global access list and apply individual access-lists on each interface as per your requirement.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

Shrikant Sundaresh · ‎04-07-2011

Hi Richard,

As Chirag mentioned earlier, if everything works correctly, then a connection from higher to lower security level can be established without access-lists.

Let's troubleshoot as to why it isn't working then:

Your current config of access-group and nat rules is this:

access-group global_access global
object network Public-NAT
 nat (any,Cox) dynamic interface
object network Staff-NAT
 nat (any,Cox) dynamic interface
object network WiFi-NAT
 nat (any,Cox) dynamic interface

Kindly put in the following commands, so we can make the nat rules more precise and test without the access-list:
no access-group global_access global
object network Public-NAT
 no nat (any,Cox) dynamic interface
 nat (Public,Cox) dynamic interface
 exit
!
object network Staff-NAT
 no nat (any,Cox) dynamic interface
 nat (Staff,Cox) dynamic interface
 exit
!
object network WiFi-NAT
 no nat (any,Cox) dynamic interface
 nat (WiFi,Cox) dynamic interface
 exit
!

Now run a packet-tracer command to see if the packet is traversing the ASA correctly

packet-tracer input Public tcp 192.168.2.10 19216 4.2.2.2 80 det

If it shows all Phases "Allow", means traffic is going fine. If it shows drop in any, then that's where we start troubleshooting.
Please paste the entire output of the packet-tracer in case it is dropping somewhere.

-Shrikant

P.S.: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks.