cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2142
Views
0
Helpful
4
Replies

Access-list with options flags SYN, ACK in ASA/PIX

r-barbosa
Level 1
Level 1

Hi,

How is it possible to create an access-list on the ASA or PIX using the TCP flags such as syn, ack, etc. I tried to create here but it did not work nor appears options.

Regards

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Ricardo

What exactly are you trying to achieve. A stateful firewall such as the pix/asa already checks these flags as traffic goes through the device. Is there something specific you need ?

Jon

hi, John

I would create an access-list where I could block the traffic in a way that is, an example would be two networks 192.168.0.0/24 and 172.16.0.0/16, only allow ssh connections starting from the network 192.168.0.0/24 and would return only for the already established connections and block all the rest. It would be like following the rules.

access-list 102 permit tcp 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22 syn

access-list 102 permit tcp 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 22 established

access-list 102 deny tcp 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255

Regards

Ricardo

That is exactly what a pix/asa will do for you automatically.

So for you setup you need to put the 192.168.0.0/24 on a higher security interface than the 172.16.0.0/16 network.

If you do this then connections can be initiated from the 192.168.0.0/24 network to the 172.16.0.0/16 network and the return traffic will be automatically allowed. However traffic will not be allowed to be initiated from the 172.16.0.0/16 network to the 192.168.0.0/24 network unless you explicitly allow it with an access-list.

Jon

Hi,

this then that. The network is 192.168.0.0/24 with security level 100 is the 172.16.0.0/16 network security level 90, is still not working. I created the following acl's:

access-list net-lab_access_in extended permit ip 192.16.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list net-lab_access_in extended permit ip 192.16.1.0 255.255.255.0 10.0.0.0 255.255.255.0

And there is the implicit deny, which blocks the back, if that would also make the network 172.16.0.0/16. These access-list's are applied to interface with IP address 172.16.0.0/16

regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: