Friday, March 31, 2017

ACLs (interface access rules) on Cisco ASA



With Cisco ASA, because all traffic from a higher security level to the lower security level is allowed by default, ACL enables us to either allow traffic from the lower security level interfaces OR restrict traffic from the higher security level interface

Before configuring interface access control in your ASA you need to answer the following question :  which hosts are allowed to communicate with each other, using which specific applications through the ASA

Things to know:

  • if a packet arrives at an ASA's interface, it either must match expected definition from an existing session (existing session are kept in a state stable or session table) or will be compared against the inbound interface security policy applied to that interface. 
  • by default, the ASA treats ICMP traffic as stateless. Despite being in the connection table, expected ICMP replies will not be permitted through the ASA by default. You must either permit them using an ACL or enable ICMP inspection, to allow replies to return through the ASA 
  • By default, the ASA treats ESP flows as stateless. To allow returning packets through the ASA "state-fully", you must enable IPSEC inspection of pass-through traffic
  • in a routed firewall, broadcast and multicast traffic are blocked even if you allow it in an ACL
  • If you are configuring access control list from the CLI, Cisco ASA ACl use network masks and not the wildcard masks used in Cisco router ACL
  • In the absence of a specific set of access rules on an interface, the ASA will apply its default access policy to packets arriving at the interface (ASA default access policy : 1-all outbound connections (initial packet ingresses the ASA through an interface with higher security level than that of the egress interface selected by routing) are permitted. 2-all inbound connections (initial packet ingresses the ASA through the ASA through an interface with a lower security level than that of the egress interface selected by the routing) are denied    
  • Traffic flowing from an endpoint on a higher-security interface to an endpoint on a lower-security interface is considered : outbound
  • Traffic flowing from an endpoint on a lower-security interface to an endpoint on a higher-security interface is considered : inbound

Example of scenario

  • Permit any host on the inside network (inside network : 10.0.0.0/24)  to reach any host on a less secure interface (dmz and outside interfaces) using HTTP
  • Permit any host on the ouside to reach the DMZ web server using HTTP (dmz web server : 209.165.200.228)
  • Allow the DMZ SMTP server (smtp ip address : 172.16.0.20) to reach any host, through either inside or outside interface using SMTP
 Task 1 : permit any host on the inside network to reach any host on a less secure interface (dmz or outside interfaces) using HTTP

(config)#access-list INSIDE-IN permit tcp 10.0.0.0 255.255.255.0 any eq http

Task 2 :  Permit any host on the ouside to reach the DMZ web server using HTTP

 (config)#access-list OUTSIDE-IN permit tcp any host 209.165.200.228 eq HTTP

Task 3 : Allow the DMZ SMTP server  (smtp ip address : 172.16.0.20) to reach any host, through either inside or outside interface using SMTP

(config)#access-list DMZ-IN permit tcp tcp host 172.16.0.20 any eq smtp

Let's apply the access rule created of task1 on the inside direction (inbound) of the inside interface
(config)#access-group INSIDE-IN in interface inside

Let's apply the access rule created of task2 on the inside direction (inbound) of the outside  interface
(config)#access-group OUTSIDE-IN in interface outside

Let's apply the access rule created of task3 on the inside direction (inbound) of the dmz  interface
(config)#access-group DMZ-IN in interface dmz 

#show access-list 
#show access-list "access-list-name"

When configuring interface access rules on Cisco ASA, the concept of  "Object Group"  is very interesting and it will be the topic of our next post !!!  


------------------------------------------------------------------------------------------------------
I will be honored to read your comment about this post. Please feel free to leave one ☺ And if you have a Cisco IOS, Firewall ASA Or Mircorosft server infrastructure topic you would like me to add in this blog, i will be more than happy to know which one ☺
-------------------------------------------------------------------------------------------------------

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)