Solved: Access rules @ ASDM PIX 515

Stefan Drotar · ‎09-04-2013

Hello !

I would like to ask for a help. I need to configure pix firewall 515E @ ASDM to : allow only http traffic from any source/destination between internal port (192.168.1.0/24) and outside (10.0.0.0/8). I have added for both ports (internal & external) rules to permint outgoing and incoming http traffic , but no success.Any time I try to simulate traffic with Packet Tracer some implicit rule catch my http packet and drop it.

NAT is not used , because firewall is set to transfer traffic without address translation.

Thanks !

Stefan

Jouni Forss · ‎09-04-2013

Hi,

There are a couple of problems.

First one is that you have configured all interfaces with the same "security-level" value. This essentially means that traffic will be blocked whatever ACL you configure on the interface.

The way around this is to use "same-security-traffic permit inter-interface" command.

Naturally better choice might be changing the internal interfaces "security-level" to the usual value of "100"

Then there is also problem with the ACL. No HTTP connection will have both the source and the destination port as TCP/80. Also since this is a Statefull Firewall we dont need to take into consideration return traffic.

So I would suggest the following modifications to the firewall configurations.

clear configure access-group

clear configure access-list

The above commands will first remove all the ACLs from the interfaces and it will then remove all the ACLs from the device.

After this add the new configurations

access-list INTERNAL-IN remark Only permit HTTP traffic

access-list INTERNAL-IN permit tcp any any eq www

access-group INTERNAL-IN in interface internal

access-list EXTERNAL-IN remark Only permit HTTP traffic

access-list EXTERNAL-IN permit tcp any any eq www

access-group EXTERNAL-IN in interface external

Do notice that will only allow HTTP traffic from behind either interface. All other traffic will be blocked.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if this didnt solve the problem

- Jouni

View solution in original post

Jouni Forss · ‎09-04-2013

Hi,

Are the default gateway configuration correct on both sides of the PIX so that the traffic is first forwarded to the PIX and then back to the PIX from the other network?

Are there any hitcounts on the ACLs when you use command "show access-list"

You could always also check what the ASDM says in the Monitoring section when you try to initiate the connections.

Oh and I just noticed, you were talking about network 192.168.1.0/24 which is not behind "internal" interface but actually "management"

- Jouni

View solution in original post

Jouni Forss · ‎09-04-2013

Hi,

It would be easier to check the actual problem if you could provide us with the CLI format configuration of the PIX.

Naturally if there is any sensitive information you could remove those.

- Jouni

Stefan Drotar · ‎09-04-2013

Well here the CLI output of running config.:

: Saved

:

PIX Version 7.2(2)

!

hostname pixfirewall

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif internal

security-level 0

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet1

nameif external

security-level 0

ip address 10.0.0.1 255.0.0.0

!

interface Ethernet2

nameif mgmt

security-level 0

ip address 192.168.1.251 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list external_access_out extended permit tcp any eq www any eq www

access-list external_access_in extended permit tcp any eq www any eq www

access-list internal_access_in extended permit tcp any eq www any eq www

access-list internal_access_out extended permit tcp any eq www any eq www

pager lines 24

mtu internal 1500

mtu external 1500

mtu mgmt 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

access-group internal_access_in in interface internal

access-group internal_access_out out interface internal

access-group external_access_in in interface external

access-group external_access_out out interface external

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 mgmt

http 192.168.0.0 255.255.255.0 mgmt

http 192.168.1.254 255.255.255.255 internal

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d1f415fe5f3e74fd0fd80ffb05a3d348

: end

I apologize for my small knowledges I am just CCNA 1,2 done.

Stefan

Jouni Forss · ‎09-04-2013

Hi,

There are a couple of problems.

First one is that you have configured all interfaces with the same "security-level" value. This essentially means that traffic will be blocked whatever ACL you configure on the interface.

The way around this is to use "same-security-traffic permit inter-interface" command.

Naturally better choice might be changing the internal interfaces "security-level" to the usual value of "100"

Then there is also problem with the ACL. No HTTP connection will have both the source and the destination port as TCP/80. Also since this is a Statefull Firewall we dont need to take into consideration return traffic.

So I would suggest the following modifications to the firewall configurations.

clear configure access-group

clear configure access-list

The above commands will first remove all the ACLs from the interfaces and it will then remove all the ACLs from the device.

After this add the new configurations

access-list INTERNAL-IN remark Only permit HTTP traffic

access-list INTERNAL-IN permit tcp any any eq www

access-group INTERNAL-IN in interface internal

access-list EXTERNAL-IN remark Only permit HTTP traffic

access-list EXTERNAL-IN permit tcp any any eq www

access-group EXTERNAL-IN in interface external

Do notice that will only allow HTTP traffic from behind either interface. All other traffic will be blocked.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if this didnt solve the problem

- Jouni

Jouni Forss · ‎09-04-2013

Also,

If you have other networks than those configured on the interface then you will need to confiugre Static routes for them. You also have no default route configured on the firewall.

I take it this is some test setup perhaps?

- Jouni

Stefan Drotar · ‎09-04-2013

Hi Jouni !

Firstly, thanks very much for your answer.

Yes, this is just some school project where I check firewall performance. For that reason I need to configure firewall with mentioned interfaces and rules about http service. Everything else ought to be in default mode and no other network is beyound firewall interfaces so no static or any routing is required. The traffic simulated here is common http client- server communication process .

Stefan

Jouni Forss · ‎09-04-2013

Hi,

Were you able to test the configuration changes and get the connections to work?

- Jouni

Stefan Drotar · ‎09-04-2013

Helo,

our university-laboratory just bought a device which can emulate clients or even client-server traffic. For example, eth0 generates clients requests and eht1 of the device is waiting for generated requests. And now , the firewall is in the middle of mentioned ports .

Anyway, I have just done changes you recommended but no success at all. I paste here config again:

PIX Version 7.2(2)

!

hostname pixfirewall

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif internal

security-level 0

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet1

nameif external

security-level 0

ip address 10.0.0.1 255.0.0.0

!

interface Ethernet2

nameif mgmt

security-level 0

ip address 192.168.1.251 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list INTERNAL-IN remark Only permit HTTP traffic

access-list INTERNAL-IN extended permit tcp any any eq www

access-list EXTERNAL-IN remark Only permit HTTP traffic

access-list EXTERNAL-IN extended permit tcp any any eq www

pager lines 24

mtu internal 1500

mtu external 1500

mtu mgmt 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

access-group INTERNAL-IN in interface internal

access-group EXTERNAL-IN in interface external

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 mgmt

http 192.168.0.0 255.255.255.0 mgmt

http 192.168.1.254 255.255.255.255 internal

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:000ce33fe38ed23a52556df44dace546

: end

I just used "same-security-traffic permit inter-interface" instead of different port security levels , because it is more similar to default config.

Thanks.

Stefan

Jouni Forss · ‎09-04-2013

Hi,

Are the default gateway configuration correct on both sides of the PIX so that the traffic is first forwarded to the PIX and then back to the PIX from the other network?

Are there any hitcounts on the ACLs when you use command "show access-list"

You could always also check what the ASDM says in the Monitoring section when you try to initiate the connections.

Oh and I just noticed, you were talking about network 192.168.1.0/24 which is not behind "internal" interface but actually "management"

- Jouni

Stefan Drotar · ‎09-04-2013

Hello,

It is sending to wrong interface. destination port should be "external" not "mgmt" (management).

Through-the-device packet to/from management-only network is denied: tcp source "internal":192.168.100.174/46718 destination "mgmt":192.168.1.1/80

I think it just found more match with 192.168.1.0/24 interface so it routes to that port. But I need to packets be forwarded only between "internal" port- clients and "external" port- servers.

Thanks !

Stefan

Jouni Forss · ‎09-04-2013

Hi,

Just make sure that the Client is connected to the physical port "internal" (Ethernet0) and the Server is connected to "external" (Ethernet1)

There should be no problem with the firewalls routing as all networks are directly connected. Just make sure they are connected to the correct physical interface and are configured with the correct IP address and network mask.

Also,

Client should have the default gateway set to 192.168.100.1

Server should have the default gateway set to 10.0.0.1

This should pretty much be it.

- Jouni

Stefan Drotar · ‎09-04-2013

Hi ,

yes I am thinking about that software which emulates http get- requests just generate wrong destination IP addess,because ASDM says that destination address is denied and destination address is my management port.

Show interface commnad confirmed that physical connections are alright and up-up links as well.

I will contact my teachet about this issue.

Thanks a lot !

All the best,

Stefan