• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 370
  • Last Modified:

Cisco ASA firewall ?

Hi guys,

I have 2 offices in difference locations. Each office has an cisco asa5520 and cat 3560. I also have a ATT circuit which connected between 2 offices.

Let's call them are location A and location B.

Location A has ASA5520_A and SW_A:
   Int E0 of ASA5520_A has ip 192.168.1.2
   Int E1 of ASA5520_A has ip 172.16.1.1
   Int FE0 of SW_A has ip 172.16.1.2

Location B has ASA5520_B and SW_B:
   Int E0 of ASA5520_B has ip 192.168.1.3
   Int E1 of ASA5520_B has ip 172.17.1.1
   Int FE0 of SW_B has ip 172.17.1.2

I'd like to have all computers in subnet 172.16.1.0/24 (location A) able to see all computers in subnet 172.17.1.0/24(location B) but not vice versa.  Should I do routing part first ? then access list ? or what should I do ? Thanks.
 


0
tinhnho
Asked:
tinhnho
  • 5
  • 4
  • 2
  • +1
2 Solutions
 
decoleurCommented:
to what ends?

I ask this because part of communications is the response so you could open A to B and block B to A and never have it work because B cannot reply to A... in any situation the routing has to be there first otherwise A would not know how to get to B and B would not know how to respond to A.

you could set up an ACL on each side to only allow established connections from B to A.

so on A you could put an ACL on the outside interface going in
permit ip Bnet Anet established
permit icmp Bnet Anet echo-reply
deny ip Bnet Anet

on B you could put something on the outside like:
permit ip Anet Bnet any
permit icmp Anet Bnet any

hope this helps,

-t
0
 
devangshroffCommented:
connection works only when there is a bidirection communication , TCP handshatikng .
It will not work one way.
0
 
decoleurCommented:
that is why you use the key word established at the end of the communication between b and a. it provides for communication that originates from a to b but not in the other direction.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
ricks_vCommented:
OK you got 2 offices in different location, which mean you need LAN 2 LAN VPN / IPSEC connection.
Correct me if I'm wrong,but I would assume your E0 of both ASAs are connected to internet (ADSL modem for example) i guess they should be 192.168.1.1

so you should have on  both asa: ip route 0.0.0.0 0.0.0.0 192.168.1.1 1 ( which means pass all unknown traffic to the adsl modem)

OK if everything is set as above, we can start configuring L2L or ipsec tunnel by dropping this command:
sysopt connection permit-vpn (this basically bypass nat and acl for ipsec traffic, and is simplest way to avoid complicated config with nat / acl)

then you can start your vpn wizard from  here, try google vpn wizard or even maybe manual config if you familar.

the general idea will  be (  ASA Location A will mention internet address of Location B and ASA location B will mention internet address of location A) and further configs required, such as allowing 172.16.x.x and 172.17.x.x to pass over the tunnel or being encrypt and decrypt.





0
 
ricks_vCommented:
my bad, didnt read your question properly. please ignore my last post :P

does not matter which one you do first. and if you're wondering..
Yes, it is possible to create ACL for 1 way access.

if they are already connected to each other , I would start with ACL.
it will look like this:
ASA location A:
outside outgoing: allow source 172.16.x.x dest 172.17.x.x
inside incoming: allow source 172.16.x.x dest 172.17.x.x
ASA location B:
outside incoming: allow source 172.16.x.x dest 172.17.x.x
inside outgoing: allow source 172.16.x.x dest 172.17.x.x

routing should not be an issue, just create route for all traffic (0.0.0.0) to att circuit or just for 172.16.x.x or 172.17.x.x at both end.
0
 
decoleurCommented:
there are many ways to skin a cat, some just leave you with more meat.

as a personal preference I prefer not to create ACLs on the inside interface because unless there is a business case for it I do not want to actively be restricting outbound connections just incoming.

i am not sure that ricks_v's solution will work and it will require 4 acls to be maintained because traffic is being allowed from 172.16.x.x to 172.17.x.x but no replies are being allowed. Also the two ACLs on each firewall are contradictory.
ASA location A:
outside outgoing: allow source 172.16.x.x dest 172.17.x.x
means allow traffic going out of the network that originate from 172.16 going to 172.17
inside incoming: allow source 172.16.x.x dest 172.17.x.x
means allow traffic coming into the network that originate from 172.16 going to 172.17

you really only want to restrict the traffic on one interface and when you are using extended access-lists that interface should be as close to the source as possible,

my solution will work but only requires additions to the two outside inbound acls.

there is no right way, but test both and determine which will be the easiest for you to maintain.

for A ->B but not B->A where A is 172.16.1.0/24 and B is 172.16.2.0/24
here is what the commands will look like using rick_v's ip address scheme.
solution 1:
site A
access-list OUT_in permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0 established
access-list OUT_in deny ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-group OUT_in in interface outside
site B
access-list OUT_in permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-group OUT_in in interface outside
This will only allow traffic to Site A from Site B that originated with a request from Site A.

hope this clears things up a bit,

-t
0
 
ricks_vCommented:
looking at decoleur acls,
traffic from both LAN will not able to talk to each other.
All traffic can gets to the asa, but will be blocked on interface inside (where the LAN sits)

in this case, asa has 4 acl on the interfaces , out incoming,out outgoing, inside incoming, inside outgoing.
To allow LAN 2 LAN communicates, you will need ACL on inside interface too..

Let us know how it goes..

0
 
decoleurCommented:
ricks_v what is the basis that you asert that traffic will be blocked on the inside interface.

My understanding is that on the ASA the interface labeled inside has a security level of 100 the interface labeled outside has a security level of 0. All traffic is allowed from the higher security level to the lower unles specifically allowed otherwise. This makes the need for an ACL to allow traffic from the inside out unessessary.

Is there something else that I am not taking into consideration?

I understand that this is a little off topic but I think this is a pretty important fundamental concept.

-t
0
 
ricks_vCommented:
yes, that's the basic understanding, i understand all traffic from higher security level (inside) will automatically allow to go lower security level (outside).

I think you misunderstood the concept of "inside interface outgoing"

inside outgoing/outbound means traffic are actually coming towards LAN.

 LAN (incoming)--->      (inside interface) <--------ASA-----> (outside interface)              <--(Incoming)
 LAN <--(outgoing)      (inside interface) <--------ASA-----> (outside interface )            -->(outgoing)

I am absolutely sure about the ACL rule mentioned above.

anyway, good luck with getting this running..
0
 
tinhnhoAuthor Commented:
Thanks guys for the hints.
Hi Ricks_v

The map below is my current setup at my offices. Both offices have internet connection and they work just fine with internet. We just had the ATT circuit installed last couple weeks. Both offices don't see each other yet. Here the steps I will do:

1. Add routing to ASA5520_A (location A). I'm thinking to use OSPF here.  Any suggestion for other routing protocols ?
2. Apply the ACL on ASA5520_A.

Thanks.




cisco-asa-map.bmp
0
 
decoleurCommented:
eigrp is very easy to set up and run if you own both sides.
0
 
devangshroffCommented:
you need to cordinate with ISP , ask him what protocaol they are using, as ISP need to relau your netwrok.

EIGRP will be good option
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now