Solved: Setp by setp ASA 5505 configuration to inspect traffic

Antonio Simoes · ‎09-01-2013

I,

I´m strugling with the correct steps to configure ASA to inspect traffic and allow only some traffic form inside to outside and outside to DMZ.

Correct my steps if necessary:

Configure interfaces
- IP addres
- Nameif
- Security Level
Configure NAT
- Translation from inside to outside
- Trasnlation from inside to DMZ
- Static translation from outside to DMZ
Create ACLS
- ACL to allow traffic from inside to outside
- ACL to allow traffic from inside to DMZ
- ACL to allow traffic form outside to DMZ
Create Inspect policy
1. Creat class map
2. Create policy map
3. Define de type of traffic to be inspected
4. Associate the policy to the interface

After this I shoul ping and access http server from the outside of the network.

Rigth?

King Regards,

António

turbo_engine26 · ‎09-02-2013

Hi,

First of all, the route that you have created is wrong. It should be a default route that points to an "ANY" destination and "ANY" destination's mask. For example, route outside 0 0 62.28.190.65.

Second, don't worry about the policy map at the moment because there is a default policy map configured already with most important protocols. Therefore, ICMP is inspect by default.

Third, test ICMP traffic between hosts not routers. Perhaps the ISP router is blocking an incoming ICMP packets to itself. This means you have to create an ACL that is applied to the ISP router to allow ICMP to itself. So, to save all these hassles, just add two hosts as mentioned.

If you insist to work with the routers, do a packet trace for me as shown below:

packet-trace input inside 8 0 , and post the result.

Regards,

AM

View solution in original post

turbo_engine26 · ‎09-01-2013

Configure interfaces
- IP addres
- Nameif
- Security Level

Correct.

The firewall is a Layer 3 device like any L3 device. Therefore, before it can route or allow any traffic, interface information must be defined. Very basic. By default, Inside interface is assigned sec. level of 100 and Outside interface is assigned sec. level of 0. You do not actually need to define security levels unless you're assigning custom levels.

2. Configure NAT

Translation from inside to outside
Trasnlation from inside to DMZ
Static translation from outside to DMZ

The first point is a correct step. Consider dynamic NAT for internal users.

The second point is correct. However, you use identity NAT translation and no need to define static or dynamic translaton. Why? because after all you are using RFC 1918 private IP addresses in both the inside and DMZ networks.

The third point is incorrect direction. If you want to make a DMZ server to be accessible from the outside, the static translation shoud be from DMZ to Outside. In very rare cases, translation from Outside to DMZ is used.

3. Create ACLS

ACL to allow traffic from inside to outside
ACL to allow traffic from inside to DMZ
ACL to allow traffic form outside to DMZ

The first point is correct IF you want to restrict traffic from inside to outside. Because all types of traffic from inside to outside are allowed based on the default security level of the outside interface, no need to apply any ACL on the inside. interface. Restricting users traffic is a good practice, however, do no forget to allow the necessary services that the users need to surf the internet. For example, http, https, dns. The common mistake the administrators do is, allowing only http (thinking that this is enough to allow internet access) and forgetting DNS. Almost all the internet workings are based on DNS name resolutions. Without it, "page cannot be displayed", said Firefox.

The second point is not needed. As mentioned, traffic is allowed from inside to dmz without any ACL because it is the higher sec.level interface.

The third point is correct. Make sure to allow only the needed services from outside to dmz and not more.



4. Create Inspect policy
 Creat class map
Create policy map
Define de type of traffic to be inspected
Associate the policy to the interface

The third point is part of the first point and not an independent step.

So, here is the correct order:

1. Create a class map to define a type of traffic to be inspected. You can use the "match" keyword to define a traffic by protcol name or by ACL.

2. Create a policy map to define the class map that is created in the first step and configure actions on the defined traffic.

3. Apply the policy map globally or on an interface.

Regards,

AM

Antonio Simoes · ‎09-01-2013

Hi AM,

After some time i discovered that the commands for this 8.4 version are different from some I used to configure my lab.

Thhis is my lab:

I made this config to my emulated ASA with 8.4 of IOS version:

ASA Version 8.4(2)

hostname ciscoasa

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address 62.28.190.66 255.255.255.252

!

interface GigabitEthernet1

nameif management

security-level 0

ip address 10.0.0.2 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

nameif dmz

security-level 70

ip address 192.168.100.254 255.255.255.0

!

interface GigabitEthernet4

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

no ftp mode passive

object network Net-Inside

subnet 192.168.200.0 255.255.255.0

!

object network Net-Inside

nat (inside,outside) dynamic interface

route outside 10.0.0.0 255.255.255.0 62.28.190.65 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

console timeout 0

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:9b048dee7f8788f1213edff7a0cf7990

: end

After this configuration its suposed I can ping ISP router from the inside router, rigth? Also as the DMZ router?

As you said :"

The second point is not needed. As mentioned, traffic is allowed from inside to dmz without any ACL because it is the higher sec.level interface.

"

Can you give me a tip?

King Regards,

AS

turbo_engine26 · ‎09-02-2013

Hi,

Yes, NAT commands have changed beginning with 8.3 and later.

Notice that 192.168.200.1 is assigned to both the ASA and the router in the diagram. (ALARM: IP Conflict)

Generally, when you test NAT translations throught the ASA, try to initiate traffic between two hosts rather than between routers. Therefore, add two hosts: one behind the inside router and one behind the ISP router.

About the DMZ, you missed to add an identity NAT from inside to dmz.

object network ident_NAT

host 192.168.200.3

nat (inside,dmz) static 192.168.200.3

Regards,

AM

Antonio Simoes · ‎09-02-2013

Hi,

Thank you for helpping me.

About the Ips its just in the graphic, becouse the config its fine.

Man, my problem is mutch more strange. The traffic from inside to outside with the NAT, the default route and de policy map weel configure should let me pass the icmp. correct?

Kind Regards,

AS

turbo_engine26 · ‎09-02-2013

Hi,

First of all, the route that you have created is wrong. It should be a default route that points to an "ANY" destination and "ANY" destination's mask. For example, route outside 0 0 62.28.190.65.

Second, don't worry about the policy map at the moment because there is a default policy map configured already with most important protocols. Therefore, ICMP is inspect by default.

Third, test ICMP traffic between hosts not routers. Perhaps the ISP router is blocking an incoming ICMP packets to itself. This means you have to create an ACL that is applied to the ISP router to allow ICMP to itself. So, to save all these hassles, just add two hosts as mentioned.

If you insist to work with the routers, do a packet trace for me as shown below:

packet-trace input inside 8 0 , and post the result.

Regards,

AM

Antonio Simoes · ‎09-02-2013

Turbo_Engine,

I corrected the problem.

I used the command packet trace as u sugest.

The problem was on routing tables of the routers.

Many thanks man for helping me.

Kind Regrads.

turbo_engine26 · ‎09-02-2013

Hi,

Glad to hear that it is working for you

Do not hesitate to ask further questions.

Regards,

AM