Re: ASA-5510 Access Rules, beginner misunderstandings...

Loxmyth · ‎09-23-2022

The default access rules on this box allow incoming IP from "any" to "any less-secure network". plus a global (outgoing?) "any to any", with no rule for the WAN connection. That's enough to let all my devices reach the outside world, and for more-secure networks to ping less-secure networks -- basic isolated router behavior.

Now I'm starting to try to control permissions between my networks, so development can access the production net but not vice versa. I'm willing to do it from the command line if I must, but I'd like to better understand how to manage it through ADSM. I don't currently have any Security Groups set up.

1) There doesn't seem to be a way to specify "any less-secure network" or multiple networks when entering our own rules in ADSM. And we can't simply modify the default rules which use that shortcut. It looks like we can have single rules that cover multiple sources. True? (I'm a bit surprised that this was implemented as "any to any-less-secure" rather than "any-more-secure to any"... or "to here".)

Those work for outgoing to the WAN, and allow ping among my LANs, but not SSH. My uneducated guess was that this meant I needed to add TCP and UDP to the protocols permitted by the rules, with the hope that these implied the protocols based upon them so I didn't need to spell everything out before I wanted that finer control. Unfortunately the default rules vanish when I try to add explicit rules, so I'd need to re-specify what the defaults have been providing.

2) There's a protocol listing for "tcp-udp", whose icon suggests that it's supposed to mean "either". When I tried using it in a rule, though, I got the error
--------------------------------

[OK] object-group protocol DM_INLINE_PROTOCOL_1
object-group protocol DM_INLINE_PROTOCOL_1
[ERROR] protocol-object tcp-udp

protocol-object tcp-udp
^
ERROR: % Invalid input detected at '^' marker.

[OK] object-group protocol DM_INLINE_PROTOCOL_2
object-group protocol DM_INLINE_PROTOCOL_2
[ERROR] protocol-object tcp-udp

protocol-object tcp-udp
^
ERROR: % Invalid input detected at '^' marker.

[OK] object-group protocol DM_INLINE_PROTOCOL_3
object-group protocol DM_INLINE_PROTOCOL_3
[ERROR] protocol-object tcp-udp

protocol-object tcp-udp
^
ERROR: % Invalid input detected at '^' marker.

[OK] object-group protocol DM_INLINE_PROTOCOL_1
object-group protocol DM_INLINE_PROTOCOL_1
[OK] no protocol-object tcp
[OK] no protocol-object udp

--------------------------------
So I went back to "ip, tcp, udp", and that seemed to be accepted.

3) But when I apply that approach -- incoming rules set to allow ip,tcp,udp from nets I consider more secure -- I lose connectivity rather than improving it. Applying that to "inside" (the lan port this machine is connected to) results in my losing web connectivity, presumably plus other things. I've backed it out so I can post this request for help...

I'm presumably misunderstanding something obvious. Could someone hit me with a clue-by-four, please?

adTHANKS!vance

(PS: Just for clarification, what's the difference between specifying "inside-network/24" versus "inside"? Is the former strictly an address test while the latter tests the network port the packet is being routed from/to? If so, "inside" would appear more secure, since theoretically a machine could be plugged into one of the other ports but be configured with an address in Inside-network's expected range...? Or is that misunderstanding the reason my attempted configuration failed?)

MHM Cisco World · ‎09-23-2022

can you share the ACL and NAT you use in ASA ?

Loxmyth · ‎09-23-2022

This whole configuration is the result of me self-training on the ASA, so I wouldn't be surprised to find I missed something essential... The initial goal goal is to have four LANs (management port, inside, public, dmz) plus the outside connection, with trust in that order from most to least. Outside and Inside are the two 1GB ports, the rest 10MB. DMZ is not in use yet; my home automation hardware test is currently on public and development is on inside. Each ASA port has its own range of addresses, 192.170.<asa port>.<device>, mostly assigned by DHCP (though I need to nail a few in place).

As it currently stands:

Result of the command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list DMZ_access_in; 1 elements; name hash: 0x76dc8ff6
access-list DMZ_access_in line 1 extended permit ip any 192.170.2.0 255.255.255.0 inactive (hitcnt=0) (inactive) 0xb9bef643

Result of the command: "show nat"

Manual NAT Policies (Section 1)
1 (any) to (outside) source dynamic any interface dns
translate_hits = 1740476, untranslate_hits = 6542

Loxmyth · ‎09-27-2022

Arggh. Looks like it was user error. After setting up an explicit incoming rule on public that allowed management-net/24 and inside-net/24 to use ip, tcp, and udp, I've successfully SSH'd from a machine hanging from the inside port to a machine hanging from the public port. I suspect I was doing something stupid like using the wrong userID or SSH key. Stepping away from the keyboard for a few days probably broke the bad reflex.

Insert blush here. I should have known better.

FWIW, the change that was applied was as follows 192.170.17 is being used on Management, ...0 should be Outside, ..1 should be Inside, ..2 should be DMZ (not yet in use) and ..3 should be Public (incoming only from Management and Inside). I would *still* like to better understand the difference between inside and inside-network/24, and whether I should have been using the former rather than the latter.

object-group network DM_INLINE_NETWORK_1
network-object 192.170.1.0 255.255.255.0
network-object 192.170.17.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
access-list public_access_in line 1 remark Try broadening from IP to allow TCP and UDP protocols. Since I can't use "any less secure",
access-list public_access_in line 2 remark I'm making it explicit from inside-network and management.
access-list public_access_in line 3 extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 any
access-group public_access_in in interface public

Chalk it up to flailing and rubber-ducking... <sigh/>

Loxmyth · ‎09-27-2022

Not quite. There was something missing; an Alexa on my public-facing net wasn't able to reach outside.

You can't edit the implicit incoming rule to just add TCP and UDP to it. And you can't use "any less secure network" in a user-created rule. But I *could* create an incoming rule for public that went from any to outside (should that have been public to outside?) and specified all three protocols; Alexa still seems happy with that and I've still added the ability to SSH from inside to public.

I think what I'm stumbling over here is what "incoming" and "outgoing" mean for these rules. I need to read up on that.

I'm being nibbled to death by rubber ducks. But it's progress.

Loxmyth · ‎08-13-2023

Here we go again... see https://community.cisco.com/t5/routing/asa-5510-access-rules-user-error-confusion/td-p/4904229 . "But it _was_ working..." There's clearly something here I don't grok. That one, at least, has the configuration attached.