Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

configure ASA 5510 to pass through SSH sessions

Posted on 2007-12-01
8
Medium Priority
?
5,040 Views
Last Modified: 2008-05-21
HI,

I have configured two interfaces on ASA 5510,

1- servers zone  for servers area
2- banks zone   for banks to connect to servers


All users in in the banks zone must onlu connect to the server 10.0.0.2 using ssh port ,
they still cannot connect to the server,even I connot ping the banks zone from the servers zone.
will someone help me?
My configuration is below

ASA Version 7.0(6)
!
hostname YFS-FW1
enable password wrfquXVI4ksJsAhA encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif servers
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/1
 nameif banks
 security-level 30
 ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif local
 security-level 60
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3
security-level 0
 ip address 150.150.0.1 255.255.0.0
!
interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10
access-list 1 extended permit icmp any any
access-list 1 extended permit 22 any any
pager lines 24
mtu servers 1500
mtu banks 1500
mtu local 1500
mtu management 1500
mtu failover 1500
no failover
icmp permit any servers
icmp permit any banks
no asdm history enable
no asdm history enableinterface banksinterfa
global (banks) 1 172.31.1.100-172.31.1.175
nat (servers) 1 10.0.0.0 255.255.255.0 tcp 1 0
static (servers,banks) 172.31.1.10 10.0.0.2 netmask 255.255.255.255
access-group 1 in interface servers
access-group server-access in interface banks
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 servers
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_sqlnet
 match port tcp eq ssh
class-map inspection_default
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
 class class_sqlnet
  inspect sqlnet
!
service-policy global_policy global
service-policy global_policy global
Cryptochecksum:dc71c886459cca3e19e24bb55bb94a33
: end
0
Comment
Question by:oamal2001
  • 3
  • 3
  • 2
8 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20389358
try
no access-list 1 extended permit 22 any any
access-list 1 permit tcp any host 172.31.1.10 eq ssh

regards
0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20390208
actually you have two problems here, MrHusy's solution will not fix the issue, and further, is technically incorrect in several respects.

1) on both ACLs you are allowing IP Protocol 22 (for example, TCP is protocol number 6, UDP is 17 -- 22 is, well, nothing useful).  so, you need to change your ACL from allowing protocol 22 to allowing TCP port 22 as the destination port.  And you need to make this change to do so:

 access-list server-access extended permit tcp host 172.31.1.16 host 172.31.1.10 eq 22
 no access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10

2) you have configured an ACL on the high-security interface (access-list 1).  configuring an ACL on the high-security interface has the effect of overriding the default "permit any any."  

that is, by default a PIX/ASA will allow all connections initiated from a high-sec interface destined for a lower-sec interface (and recording the state of the connection so as to allow the return traffic only coming in the low-sec interface) and deny connections initiated from low-sec to hi-sec.  you can override both of these behaviors by applying ACLs to respective interfaces.

so when you apply ACL 1 to the server interface, you have just allowed ICMP and IP protocol 22, and denied all other traffic originating from the server interface (yes, all outbound server traffic!).  if what you really intended to do is allow the servers to respond to allowed SSH connections and originate any ICMP "connections," then all you need to do is:

no access-list 1 extended permit 22 any any

you dont need to add "access-list 1 permit tcp any host 172.31.1.10 eq 22" as MrHusy suggests, for two reasons: 1) the connection is originating from the banks interface, and the ASA will record the state of the connection and allow return traffic from the servers interface dynamically, and 2) the correct (though unneeded) statement would have been "access-list 1 permit tcp host 10.0.0.2 eq ssh any," since being applied to the servers interface you would have needed to specify the server address/ssh port as the source tuple, not the destination, since what you are saying is "allow traffic to ingress the "servers" interface if it is from the host 10.0.0.2 (even though it will later be NATted) to any destination.  but again, this statement is unnecessary as it the desired behavior is already accounted for by the "server-access" ACL

assuming you want to allow default behavior (devices on the "servers" interface can initiate any connection to a lower security interface, but NOT vice vs. the correct config (changes only) is attached below.

also, a piece of advice:  get used to thinking about ASA ACLs in terms of the interface you apply them to, not the traffic you want to allow.  for example, you are applying the ACL to the "banks" interface.  even though you are intending to allow access from the banks to the servers, you need to be aware that any ACL applied to that interface will affect access from "banks" devices to any other network.  specifically, unless you add an entry (entries) to allow traffic to lower-sec interfaces, it will be denied (e.g., with you config, all traffic originating from "banks" to devices behind interface ethernet0/3 will now be denied, even though e0/3 is a lower-sec interface)
clear config access-list server-access extended permit 22 host 172.31.1.16 host 172.31.1.10
clear config access-list 1 extended permit icmp any any
 
access-list BANK_ACCESS extended permit tcp any host 172.31.1.10 eq 22
access-list BANK_ACCESS extended permit icmp any host 172.31.1.10
 
no access-group 1 in interface servers
no access-group server-access in interface banks
 
access-group BANK_ACCESS in int banks
 
!---if you want to deny all server-intiated traffic except ICMP, delete this line and all "!" below
! access-list SERVER_ACCESS ext perm icmp any any
! access-group SERVER_ACCESS in int servers

Open in new window

0
 
LVL 4

Expert Comment

by:CCIE8122
ID: 20390209
oops, corrected config below
no access-group 1 in interface servers
no access-group server-access in interface banks
 
clear config access-list server-access 
clear config access-list 1 
 
access-list BANK_ACCESS extended permit tcp any host 172.31.1.10 eq 22
access-list BANK_ACCESS extended permit icmp any host 172.31.1.10
 
access-group BANK_ACCESS in int banks
 
!---if you want to deny all server-intiated traffic except ICMP, delete this line and all "!" below
! access-list SERVER_ACCESS ext perm icmp any any
! access-group SERVER_ACCESS in int servers

Open in new window

0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 

Author Comment

by:oamal2001
ID: 20390364
HI,
Thanks, I wiil rearrange the configuration today,the programmer now is asking me to allow specific servers on the banks zone to access the database server on the servers zone on a specified port for example:
1- server 172.16.1.1 to access 10.0.0.2 on port 8001
2-server 172.16.15.1 to access 10.0.0.2 on port 8002
of course all are accessing through a cisco 3845 router.,Can I use the same procedure you recommended before?

Thanks,
0
 

Author Comment

by:oamal2001
ID: 20390397
Sorry

I forgot to ask:
Do I need to remove the nat
global (banks) 1 172.31.1.100-172.31.1.175
nat (servers) 1 10.0.0.0 255.255.255.0 tcp 1 0
An is it possible to to a second nat for the same sever,for example 10.0.0.2--172.31.1.10--10.100.100.2
And do you think it will improve security?

Thanks,
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20390917
"2) the correct (though unneeded) statement would have been "access-list 1 permit tcp host 10.0.0.2 eq ssh any,"
no it is not the correct statement of my ACL, it can be easly understood that I just missed the interface :) so correction is the following

no access-group 1 in interface servers
access-group 1 in interface banks


No you shouldnt delete your global command and NAT.
Would you please explain what you mean by "An is it possible to to a second nat for the same sever,for example 10.0.0.2--172.31.1.10--10.100.100.2"

Regards
0
 

Author Comment

by:oamal2001
ID: 20390950
Thanks all
OK,
I mean if I did static nat for server 10.0.0.2 to 172.31.1.10 which I already made on the ASA and then I did a nat for 172.31.1.10 on the router that connects the banks interface,in case i want to give a different IP address for the server for each bank,Do you think it will work?

Thanks,
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 20391046
 Yes it will work. You can one-to-one NAT

10.100.100.2------------
10.100.100.3------------                          
10.100.100.4------------
10.100.100.5------------          172.21.1.10-------------10.0.0.2
10.100.100.6------------
10.100.100.7------------
10.100.100.8------------
 
     You can achieve same in ASA also
172.21.1.10
172.21.1.11
172.21.1.12
172.21.1.13-------------     10.0.0.2
172.21.1.14
172.21.1.15
172.21.1.16
       
      NATing decreases the success rate of reconnaissance attacks. But that doesnt mean to apply NAT for thousand times. The more address translations, the more packet loss possibility.
      In your ASA config, I would recommend you to set an embryonic limit in your statics instead 0, or preventing syn flood attacks and connection limit.

static (servers,banks) 172.31.1.10 10.0.0.2 netmask 255.255.255.255 1 8
1=max connections (you may have to increase the values as more banks has to reach this destination)                                          
8=embryonic tcp connection limit (which means 3 way handshake is not completed, which is usually a sign of SYN flood attack)

Regards
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question