ACL for Firewalls

Floyed3306 · ‎05-22-2020

Greetings everyone,

I'm looking for some input on what you personally think as an individual with experience relating to this. I know it's situational but is there a rule of thumb for creating a ACL on a firewall for network hardening?

What are some examples everyone should do with ACL's besides blocking addresses that aren't being used, what else should be restricted as far as ports? Any examples would be appreciated.

Thank you again everyone.

Richard Burts · ‎05-22-2020

There are some things that are pretty obvious, assuming that this firewall will connect to Internet on its outside interface and to your internal network on its inside interface:

- you want to block any inbound packet with a source address in the reserved private address networks (10.0.0.0, 172.16.0.0, 192.168.0.0).

- you want to block any inbound packet with a source address in the APIPA network 169.254.0.0.

- you want to block any inbound packet with a source address in your internal network.

Beyond that you ned to make some choices about types of traffic that you might want to deny:

- some people block inbound ICMP. But if you do this then things like Path MTU Discovery dont work, and you dont have the ability to troubleshoot using ping, traceroute, etc. But you might think about some types of ICMP that you might want to block.

- do you want to deny inbound attempts to connect using telnet or ssh?

- do you want to deny inbound packets from a dynamic routing protocol?

- do you want to deny inbound packets from management protocols such as snmp or ntp or syslog?

- do you want to deny inbound packets that are netBIOS?

- do you want to deny inbound packets that are FTP or TFTP?

- do you want to deny inbound packets that are multicast?

HTH

Rick

Naresh Murali · ‎05-22-2020

Hi Floyed3306,

To Make it very simple. ACL has an inbuilt deny command in it.

So I would suggest the best way to implement would be to Allow what traffic you want in the ACL and finally anyways the other unwanted traffic would be blocked. In this scenario make sure you allow all the right traffic to avoid any network disconnection and also a console access in case if you want a revert back the changes.

Hope this helps.

Regards

Naresh M

Floyed3306 · ‎05-22-2020

Thank you for your thoughts, how does the configuration below look so far? I'm learning ACL and how to properly do it so any commands you'd be willing to share would be appreciated.

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)32
!
hostname ASA
domain-name www.domain.com
enable password u5IlpEaVfXh4Bw5y encrypted
names
dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface GigabitEthernet1/0
description WAN
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/1
description Switch
nameif inside
security-level 100
ip address 172.16.100.1 255.255.255.0
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST 15
dns server-group DefaultDNS
domain-name www.domain.com
object network obj_172.16.100.0
subnet 172.16.100.0 255.255.255.0
access-list 105 extended deny tcp any host 172.16.100.1 eq telnet
access-list 105 extended deny tcp any host 172.16.100.1 eq ssh
access-list 105 extended deny tcp any host 172.16.100.1 eq ftp
access-list 105 extended deny udp any host 172.16.100.1 eq tftp
access-list 105 extended deny tcp any host 169.254.0.0
pager lines 24
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_172.16.100.0
nat (inside,outside) dynamic interface
access-group 105 in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.255.0 management
ssh 172.16.100.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.100.2-172.16.100.254 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server management 192.168.0.10 asa917-32-k8.bin
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
username binary password Ubt0d5O6EF2KlPSd encrypted privilege 15
username binary123 password vCVRNfkEcWuUF139 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:224ca1f1a77b7a84e85e97a001a0a301
: end

Naresh Murali · ‎05-22-2020

Hi Floyed3306,

I see the below config:

access-list 105 extended deny tcp any host 172.16.100.1 eq telnet
access-list 105 extended deny tcp any host 172.16.100.1 eq ssh
access-list 105 extended deny tcp any host 172.16.100.1 eq ftp
access-list 105 extended deny udp any host 172.16.100.1 eq tftp
access-list 105 extended deny tcp any host 169.254.0.0

nat (inside,outside) dynamic interface
access-group 105 in interface outside

Here I could see only deny statement and IN direction. I dont see any traffic u allowed or permit. Are you able to communicate with this ACL?

Regards

Naresh M

Floyed3306 · ‎05-22-2020

I hope I understood correctly haha.

I'm able to use the internet and go out and in without a problem. I was only blocking stuff from the outside but I shouldn't need to do anything like I did based on what you said before. Should just automatically be blocked and I just just permit the traffic for addresses I'll be using. Did I understand that correctly? I think it just clicked haha.

If so, would you be willing to toss me the command of what you'd recommend so I can get a better idea. I'm only using 172.16.100.0 network atm.

Naresh Murali · ‎05-22-2020

Hi Floyed3306,

I just Verified the Configuration again. It seems the ASA wont work with these type of config.

Please refer the below link which would be useful for your ACL configuration:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/access-acls.html

Regards

Naresh M