Solved

configure ASA 5510 to pass through SSH sessions

Posted on 2007-12-01
8
4,841 Views
Last Modified: 2008-05-21
HI,

I have configured two interfaces on ASA 5510,

1- servers zone  for servers area
2- banks zone   for banks to connect to servers


All users in in the banks zone must onlu connect to the server 10.0.0.2 using ssh port ,
they still cannot connect to the server,even I connot ping the banks zone from the servers zone.
will someone help me?
My configuration is below

ASA Version 7.0(6)
!
hostname YFS-FW1
enable password wrfquXVI4ksJsAhA encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif servers
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/1
 nameif banks
 security-level 30
 ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif local
 security-level 60
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3
security-level 0
 ip address 150.150.0.1 255.255.0.0
!
interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10
access-list 1 extended permit icmp any any
access-list 1 extended permit 22 any any
pager lines 24
mtu servers 1500
mtu banks 1500
mtu local 1500
mtu management 1500
mtu failover 1500
no failover
icmp permit any servers
icmp permit any banks
no asdm history enable
no asdm history enableinterface banksinterfa
global (banks) 1 172.31.1.100-172.31.1.175
nat (servers) 1 10.0.0.0 255.255.255.0 tcp 1 0
static (servers,banks) 172.31.1.10 10.0.0.2 netmask 255.255.255.255
access-group 1 in interface servers
access-group server-access in interface banks
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 servers
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_sqlnet
 match port tcp eq ssh
class-map inspection_default
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
 class class_sqlnet
  inspect sqlnet
!
service-policy global_policy global
service-policy global_policy global
Cryptochecksum:dc71c886459cca3e19e24bb55bb94a33
: end
0
Comment
Question by:oamal2001
  • 3
  • 3
  • 2
8 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20389358
try
no access-list 1 extended permit 22 any any
access-list 1 permit tcp any host 172.31.1.10 eq ssh

regards
0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20390208
actually you have two problems here, MrHusy's solution will not fix the issue, and further, is technically incorrect in several respects.

1) on both ACLs you are allowing IP Protocol 22 (for example, TCP is protocol number 6, UDP is 17 -- 22 is, well, nothing useful).  so, you need to change your ACL from allowing protocol 22 to allowing TCP port 22 as the destination port.  And you need to make this change to do so:

 access-list server-access extended permit tcp host 172.31.1.16 host 172.31.1.10 eq 22
 no access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10

2) you have configured an ACL on the high-security interface (access-list 1).  configuring an ACL on the high-security interface has the effect of overriding the default "permit any any."  

that is, by default a PIX/ASA will allow all connections initiated from a high-sec interface destined for a lower-sec interface (and recording the state of the connection so as to allow the return traffic only coming in the low-sec interface) and deny connections initiated from low-sec to hi-sec.  you can override both of these behaviors by applying ACLs to respective interfaces.

so when you apply ACL 1 to the server interface, you have just allowed ICMP and IP protocol 22, and denied all other traffic originating from the server interface (yes, all outbound server traffic!).  if what you really intended to do is allow the servers to respond to allowed SSH connections and originate any ICMP "connections," then all you need to do is:

no access-list 1 extended permit 22 any any

you dont need to add "access-list 1 permit tcp any host 172.31.1.10 eq 22" as MrHusy suggests, for two reasons: 1) the connection is originating from the banks interface, and the ASA will record the state of the connection and allow return traffic from the servers interface dynamically, and 2) the correct (though unneeded) statement would have been "access-list 1 permit tcp host 10.0.0.2 eq ssh any," since being applied to the servers interface you would have needed to specify the server address/ssh port as the source tuple, not the destination, since what you are saying is "allow traffic to ingress the "servers" interface if it is from the host 10.0.0.2 (even though it will later be NATted) to any destination.  but again, this statement is unnecessary as it the desired behavior is already accounted for by the "server-access" ACL

assuming you want to allow default behavior (devices on the "servers" interface can initiate any connection to a lower security interface, but NOT vice vs. the correct config (changes only) is attached below.

also, a piece of advice:  get used to thinking about ASA ACLs in terms of the interface you apply them to, not the traffic you want to allow.  for example, you are applying the ACL to the "banks" interface.  even though you are intending to allow access from the banks to the servers, you need to be aware that any ACL applied to that interface will affect access from "banks" devices to any other network.  specifically, unless you add an entry (entries) to allow traffic to lower-sec interfaces, it will be denied (e.g., with you config, all traffic originating from "banks" to devices behind interface ethernet0/3 will now be denied, even though e0/3 is a lower-sec interface)
clear config access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10

clear config access-list 1 extended permit icmp any any
 

access-list BANK_ACCESS extended permit tcp any host 172.31.1.10 eq 22

access-list BANK_ACCESS extended permit icmp any host 172.31.1.10
 

no access-group 1 in interface servers

no access-group server-access in interface banks
 

access-group BANK_ACCESS in int banks
 

!---if you want to deny all server-intiated traffic except ICMP, delete this line and all "!" below

! access-list SERVER_ACCESS ext perm icmp any any

! access-group SERVER_ACCESS in int servers

Open in new window

0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20390209
oops, corrected config below
no access-group 1 in interface servers

no access-group server-access in interface banks

 

clear config access-list server-access 

clear config access-list 1 
 

access-list BANK_ACCESS extended permit tcp any host 172.31.1.10 eq 22

access-list BANK_ACCESS extended permit icmp any host 172.31.1.10

 

access-group BANK_ACCESS in int banks

 

!---if you want to deny all server-intiated traffic except ICMP, delete this line and all "!" below

! access-list SERVER_ACCESS ext perm icmp any any

! access-group SERVER_ACCESS in int servers

Open in new window

0
 

Author Comment

by:oamal2001
ID: 20390364
HI,
Thanks, I wiil rearrange the configuration today,the programmer now is asking me to allow specific servers on the banks zone to access the database server on the servers zone on a specified port for example:
1- server 172.16.1.1 to access 10.0.0.2 on port 8001
2-server 172.16.15.1 to access 10.0.0.2 on port 8002
of course all are accessing through a cisco 3845 router.,Can I use the same procedure you recommended before?

Thanks,
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:oamal2001
ID: 20390397
Sorry

I forgot to ask:
Do I need to remove the nat
global (banks) 1 172.31.1.100-172.31.1.175
nat (servers) 1 10.0.0.0 255.255.255.0 tcp 1 0
An is it possible to to a second nat for the same sever,for example 10.0.0.2--172.31.1.10--10.100.100.2
And do you think it will improve security?

Thanks,
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20390917
"2) the correct (though unneeded) statement would have been "access-list 1 permit tcp host 10.0.0.2 eq ssh any,"
no it is not the correct statement of my ACL, it can be easly understood that I just missed the interface :) so correction is the following

no access-group 1 in interface servers
access-group 1 in interface banks


No you shouldnt delete your global command and NAT.
Would you please explain what you mean by "An is it possible to to a second nat for the same sever,for example 10.0.0.2--172.31.1.10--10.100.100.2"

Regards
0
 

Author Comment

by:oamal2001
ID: 20390950
Thanks all
OK,
I mean if I did static nat for server 10.0.0.2 to 172.31.1.10 which I already made on the ASA and then I did a nat for 172.31.1.10 on the router that connects the banks interface,in case i want to give a different IP address for the server for each bank,Do you think it will work?

Thanks,
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20391046
 Yes it will work. You can one-to-one NAT

10.100.100.2------------
10.100.100.3------------                          
10.100.100.4------------
10.100.100.5------------          172.21.1.10-------------10.0.0.2
10.100.100.6------------
10.100.100.7------------
10.100.100.8------------
 
     You can achieve same in ASA also
172.21.1.10
172.21.1.11
172.21.1.12
172.21.1.13-------------     10.0.0.2
172.21.1.14
172.21.1.15
172.21.1.16
       
      NATing decreases the success rate of reconnaissance attacks. But that doesnt mean to apply NAT for thousand times. The more address translations, the more packet loss possibility.
      In your ASA config, I would recommend you to set an embryonic limit in your statics instead 0, or preventing syn flood attacks and connection limit.

static (servers,banks) 172.31.1.10 10.0.0.2 netmask 255.255.255.255 1 8
1=max connections (you may have to increase the values as more banks has to reach this destination)                                          
8=embryonic tcp connection limit (which means 3 way handshake is not completed, which is usually a sign of SYN flood attack)

Regards
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the fileā€¦
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now