01-15-2010 07:10 AM - edited 03-11-2019 09:57 AM
Hi All,
May I know if it is the best security practise to turn on all application for inspect under the Default Global inspection, or should the "any" option be chosen in place of the "default inspection" option instead?
Regards,
Solved! Go to Solution.
01-17-2010 06:45 PM
Kent was right. You do have the same access-list applied on both inside and outside interfaces.
You can remove the acl applied on the inside interface. By default traffic from higher security is allowed to talk to the lower security without any acl in the PIX/ASA platform.
steps to remove the acl applied on the inside interface.
conf t
no access-group Firewall in interface inside
You can just leave the acl applied on the outside interface.
-KS
01-17-2010 07:24 PM
Yes, that is what you should do.
Come up with a new name for the acl.
access-list inside-acl permit tcp ho x.x.x.x any eq 80
access-list inside-acl permit tcp ho y.y.y.y any eq 25
.
.
access-list inside-acl permit tcp any any eq 21
Once you finish the acl then apply it on the inside interface with this command below.
access-group inside-acl in int inside
-KS
01-15-2010 08:39 AM
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
The above is a sample. You may leave it as it is or remove certain inspections if they cause problem.
-KS
01-15-2010 09:06 AM
Hi Kusankar,
While reading this, I just have a question as well as 2nd opion. On my ASA has the inspect http in global policy and lately we are having some
problem with slow traffic (not all the time) as we hosting website. The int0/2 of the ASA is subinterface into DMZ and DMZ_NS.
The DMZ_NS we have Netscaler do the web hosting to outside and traffic on this is somewhere around between 300M to 500M.
Sometime when traffic around 250M users experience slow respone on the web page and some time traffic near 500M has no problem
and this applied to both interface outside (int0/0) and int0/2. Checking around I found there are input errors and overrun errors on outside
interface and the int0/2 interface. My question is can the inspect http causing some problem? If this inspection http is removed,
can it cause problem for users browsing the web site or any kind of interuption? ASA is 5540 and running 8.0.4 code.
Thank you.
01-15-2010 02:45 PM
Depending on the page http inspection could cause issues. It depend on the page.
Disabling it will cost you much and it is worth to give it a try.
Errors on the interfaces probably mean something else though. 500Mbps could overload the smaller ASAs. You might be having a traffic issue. Check the cpu of the ASA while you see the issues. If it is high it could mean that the ASA is overloaded.
PK
01-15-2010 05:12 PM
Hi Kusankar,
May I know if it is a better way by turning on inspection or to create ACL on the outside and inside interfaces to allow a application to pass thru?
Regardsm
01-16-2010 02:12 AM
Inspection can only be turned on via the MPF. As for allowing applications through your firewall depends on whether they actually need to be inspected or not. Protocols like RTP does, but others don't. In most cases an ACL on the interface allowing the port numbers used is sufficient. Other things like BGP etc needs tcp options set in the MPF.
What is it that you want to let through your fw?
01-16-2010 05:28 AM
Well, it depends on the application. Is it a standard application? Do we have an inspection engine? If so, I'd use the inspection and not open acl. The few exceptions would be http, netbios. These are known to cause latency, especially http.
-KS
01-16-2010 07:56 PM
Thanks for the information.
I found out something weird in my ASA configuration. On my outside interface ACL, if I add a rule to allow source A to destination B, I have to create another rule to allow source B to destination A on the same outside interface ACL in order for the Application to work. Is that the correct behavior of the ASA?
01-16-2010 08:11 PM
That doesn't sound right.
Who lives on the outside? A or B?
ACL should always list the source first meaning if the ACL is applied on the outside interface (facing the internet), the source will only talk about hosts that live on the internet and the destination will be your translated IP address.
example.
www server--(inside)ASA(outside)---Router---Internet---Google
Now, the acl that is applied "IN" on the outside interface will and can only have the following
access-g acl-outside in int outside
access-l acl-outside permit tcp host google host www_server eq 80
It will not have
access-l acl-outside permit tcp host www_server eq 80 host google
Even if you have the above acl, it will not be used. You will not see any hit counts. It doesn't make sense.
-KS
01-17-2010 07:22 AM
Hi KS,
Let me verify on that tomorrow again.
One more quey, if I create an ACL on the outside interface from source A (Internet) to destination B (Internal Server), a similar ACL get automatically create on the inside interface. Is that correct?
01-17-2010 07:50 AM
If the outside ACL allows the traffic that was initiated on the outside (internet) then, the response traffic from the inside is AUTOMATICALLY allowed whether the ACL on the inside specifically allowes it or not. This is the nature of the stateful firewall.
Does that answer your question?
-KS
01-17-2010 07:56 AM
Hi KS,
I think the issue now is that whenever I create an ACL on the outside interface from source A (Internet) to destination B (Internal Server), a similar ACL get automatically created in the inside interface.
Is that the correct behavior of the ASA or is that a BUG?
01-17-2010 12:56 PM
It's not a bug. It seems like you've just put the same ACL on both interfaces :-)
01-17-2010 05:29 PM
Pls. copy and paste the output of "sh run access-group"
With what you are trying to ask and tell us, it appears that you have the same access-list applied IN and OUT on the outside interaface.
I will confirm once you provide the output.
-KS
01-17-2010 06:40 PM
Hi KS,
The information as below:
sh run access-group
access-group Firewall in interface outside
access-group Firewall in interface inside
I will give you an example:
Lets say I create an ACL on the outside interface
From source IP 200.200.200.200 destination IP 10.10.10.10 port 80.
A same set of ACL gets created automatically on the inside interface
From source IP 200.200.200.200 destination IP 10.10.10.10 port 80.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide