ACL (Access Control List)
Note: Traffic between two interfaces, that have same security level is NOT allowed by default.
ACLs can be placed inbound on an interface to allow initial traffic through the ASA(from lower security level to higher security level)
We can have inbound ACL’s on any interfaces. This will over-write the default initial traffic flow that goes through ASA.
There is implicit deny at the end as we used to have on the router.
Types of ACLs
1. Standard
filter based on source ip address. Not much used.
2. Extended
This can match anything in L3 and L4. Basically source and destination ip address. Always applied to inbound on the interface.
3. Global ACL: present on 8.3 and above
Any traffic going out of our network is outbound and any traffic coming to our network in inbound.
Inbound: lower to higher security level
Outbound: higher to lower security level
ACL can be applied to the inbound or outbound interface of ASA but we rarely apply it to outbound.
ASDM :
Config -> Firewall -> Access Rules -> Add
Let's create ACL to permit http traffic from any user on internet to dmz server
Access-list inbound on outside interface
access-list ACL1 permit tcp any object object dmx-server-real-ip eq http
access-group ACL1 in interface outside
Here if we don’t mention keyword extended it will by default assume extended. we can also mention time-range so that ACL will be effective during that period.
time-range During-the-week
period weekdays 08:00 to 16:50
access-list outside_access_in line 1 extended permit tcp any object dmz-server-real-ip eq http time-range During-the-week
access-group outside_access_in in interface outside
Here line 1 is just the sequence no means this is first entry in ACL . We need not to mention this if we have a single entry.
CLI :
show time-range
show clock
Case : Say we have 3 servers on inside network and for all servers we want to allow TCP 80, 443, 25 . To accomplish this we need to have 9 entries/ lines on ACL. This is pain.
Solution :
Use object groups . One line of access-list will replace 9 lines this way.
We can identify all these servers on network object groups.
object-group network 3-musketeers
network-object object server2-on-dmz
network-object object server3-on-dmz
network-object object dmz-server-real-ip
object-group service 3-services tcp
port-object eq http
port-object eq https
port-object eq smtp
access-list outside-access_in line 1 extended permit tcp any object-group 3-musketeers object-group 3-services
show access-list
show run | in access
Let’s create NAT rule for two other servers.
object network outside-server2
host 192.168.1.177
object network server2-on-dmz
nat static outside-server2
Try to connect to 192.168.1.177 through browser
show conn
show conn detail
Public server: Creates NAT and access-list for a device.
we can do access-list and NAT translation with one option called public server
ASDM :Config -> Firewall -> Public Servers - > Add
object network dmz-server-real-ip
nat(dmz,outside) static dmz-server-mapped-ip
access-list outside_access line 1 extended permit tcp any object dmz-server-real-ip eq http
access-group outside-access in interface outside.
In ASA we use a normal mask instead of wildcard mask while configuring ACL.
Global ACL :It is an ACL that can hover over entire ASA. Can be applied logically inbound on all the interfaces.
By default, if there are no match on ACL list, there is implicit deny which will deny everything. If we configure global ACL the implicit deny does not have an effect.
So here is rule
1. Interface ACL
2. If no match go to global ACL
3. If no match then implicit Deny
If global ACL is not configured, it is just like normal ACL.
Global ACL is for simplicity purpose.
access-list global_access line 1 extended permit tcp any object dmz-server-real-ip eq http
access-group global_access global
implict deny at the end of ACL is no longer valid.
Packet Tracer :
To identify the initial flow of traffic. Verification of initial flow of packet.
ASDM :
Tools-> Packet Tracer
show animation
CLI :
packet-tracer input inside tcp 10.0.0.51 1065 192.168.1.176 80
No comments:
Post a Comment