12-12-2017 02:48 PM - edited 03-05-2019 09:38 AM
Hi, just want to ask some help for some codes/lines. Here's my situation, the client currently has 2 devices:
1. Cisco ASA (Main branch) 9.1(6)
2. Cisco Router 2801 with IOS ver 12.4(3d)
They've decided to decommission the Cisco Router 2801 and replace it with the Cisco ASA (existing) coz the Cisco ASA is being replaced by a different brand. So basically copy the configs from the router to the ASA. As I was browsing over the router's config, I saw some lines which I'm not that familiar on the router since these configs will be copied or should have an equivalent as soon as the ASA replace this device. Appreciate if someone can give me some tips or correct me if I'm doing it wrong.
Ok, the first one would be I saw some codes like:
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
and so on so forth, from what I understand from my research, this one's is like filtering the packets that will be allowed or denied, did I get this correct?
The next one would be the ACL or accesslist, I'm not advanced when it comes to ACL but most of my colleagues are actually saying that this is a very useful code. Here it goes
ip access-list extended XXX_XXXXX --> the X's I'm assuming are the letters/chars/name of the ACL
permit icmp any any --> I'm assuming they allow ping/tracert on any ip's
ip access-list extended NAT
deny ip 10.10.10.0 0.0.0.255 10.125.85.0 0.0.0.255 -->
1. in this line, they denied subnet of 10.10.10.0 but I don't understand why 0.0.0.255 for the subnet?
2. 10.125.85.0(sample network from the Cisco ASA-Main Branch) it also used 0.0.0.255, is 0.0.0.255 the same as /8 subnet?
deny ip 192.168.55.0 0.0.0.255 10.125.85.0 0.0.0.255 -->
deny ip 192.168.55.0 0.0.0.255 10.125.86.0 0.0.0.255
1. 192.168.55.0 is the LAN IP set on the Router in the branch office. Is this line debying any LAN IP from the router denying access to the Main office LAN 10.125.85.0? and why 0.0.0.255 subnet as well?
deny ip 192.168.55.0 0.0.0.255 10.125.86.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
permit ip 192.168.55.0 0.0.0.255 any --> these 3 lines are kind of confusing
ip access-list extended OUTSIDE
deny ip 0.0.0.0 0.255.255.255 any log --> I'm assuming any network can't just go out to the internet and the log is the traffic log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.0.0.0 0.0.0.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 198.18.0.0 0.1.255.255 any log
deny ip 198.51.100.0 0.0.0.255 any log
deny ip 203.0.113.0 0.0.0.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
remark Permit VPN Traffic
permit udp any host <77.77.777.77> eq non500-isakmp --> 77.xxx.xxx.xxx is the WAN IP of the branch office where the router is
permit udp any host 77.77.777.77 eq isakmp
permit esp any host 77.77.777.77
remark Permit ICMP
permit icmp any host 77.77.777.77 echo-reply
permit icmp any host 77.77.777.77 time-exceeded
permit icmp any host 77.77.777.77 unreachable
permit icmp any host 77.77.777.77 echo
permit tcp any host 77.77.777.77 eq 22
remark Deny IPs
deny ip any any log
ip access-list extended VPN2MAIN
permit ip 10.10.10.0 0.0.0.255 10.125.85.0 0.0.0.255
permit ip 192.168.55.0 0.0.0.255 10.125.85.0 0.0.0.255
permit ip 192.168.55.0 0.0.0.255 10.125.86.0 0.0.0.255
!
access-list 99 permit 65.x.x.x
access-list 99 permit 57.x.x.x
access-list 99 permit 66.666.666.666 --> this is the Main Branch IP where the Cisco ASA is
access-list 99 permit 216.x.x.x 0.0.0.255 --> this one is a dns server
access-list 99 permit 192.168.55.0 0.0.0.255 -->LAN IP of the router
!
Thanks
TECH-JEFF
12-12-2017 08:47 PM
Hi @TECH-JEFF
ASA and router is quite different. I'll try to help you:
Inspection:
This how firewall track connections and is useful for connectionless protocols like udp. It is not a filter.
1. in this line, they denied subnet of 10.10.10.0 but I don't understand why 0.0.0.255 for the subnet?
They probably is denying this network from being natted. It means, there will be no NAT for those IP.
2. 10.125.85.0(sample network from the Cisco ASA-Main Branch) it also used 0.0.0.255, is 0.0.0.255 the same as /8 subnet?
Nop. This means that all first three octets must match and the last one don't.
1. 192.168.55.0 is the LAN IP set on the Router in the branch office. Is this line debying any LAN IP from the router denying access to the Main office LAN 10.125.85.0? and why 0.0.0.255 subnet as well?
deny ip 192.168.55.0 0.0.0.255 10.125.86.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
permit ip 192.168.55.0 0.0.0.255 any --> these 3 lines are kind of confusing
About the wildcard mask is the same for previous question.
This ACL is deny and host on the 192 network to communicate with host on 10 network but is allowing them to communicate with everything else.
This cover the main question. Keep in mind that firewall is quite different so try to implement on ASA and let me know about specific doubts.
-If I helped you somehow, please, rate it as useful.-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide