Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASA 5510, Policy Maps, Class Maps, and Access-Lists!

Posted on 2009-02-16
7
Medium Priority
?
1,238 Views
Last Modified: 2012-05-06
I'd like to fine tune my company's ASA5510 a bit, but I am not very familiar with policy maps, class maps, or ACLs. I've attached my configuration below. The IP addresses have been massaged a bit, but I should be able to follow any instructions after decrypting the comments. I'd like to accomplish the following things:

1) I've limited the numbers of connections per client to 24 to combat torrents, but I only want that limit to occur on half of my subnet, 192.168.50.4 - .255, and not on the rest of it from 192.168.51.0 - .255, with a network of 192.168.50.0/23. The idea is that I'll assign problem users the earlier IP addresses, with non-offenders in the upper ranges. If I can see the concept, I'll manipulate it to suit my actual circumstances.

2) If I have a user, or users, that needs a particular port, 8181 for example, how do I forward that through the firewall if port 8181 is needed for communication with a patch server?

3) Please look over the config and offer any suggestions for improvements. We do have problems with email attachments at times, of which I have heard rumors that some type of ICMP might be at fault.
hostname xxxx-xxxx
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 description Outside Interface to Public Network, Gateway = 34.74.67.254
 nameif Public
 security-level 0
 ip address 34.74.67.1 255.255.255.252
!
interface Ethernet0/1
 description Inside Interface to Private Network
 nameif Private
 security-level 50
 ip address 192.168.50.1 255.255.254.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
clock timezone AST 3
dns domain-lookup Public
dns domain-lookup Private
dns server-group DefaultDNS
 name-server xxx.xxx.xxx.xxx
 name-server xxx.xxx.xxx.xxx
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list www_traffic extended permit tcp any any eq www
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu Public 1500
mtu Private 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (Public) 1 interface
nat (Private) 1 192.168.50.0 255.255.254.0
access-group 100 in interface Public
route Public 0.0.0.0 0.0.0.0 34.74.67.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
url-server (Private) vendor websense host 192.168.50.2 timeout 30 protocol TCP v
ersion 4 connections 30
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd ping_timeout 750
!
dhcpd address 192.168.51.0-192.168.51.254 Private
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface Private
dhcpd enable Private
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map CONNS
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class CONNS
  set connection per-client-max 24
  set connection timeout tcp 0:15:00 dcd
!
service-policy global_policy global

Open in new window

0
Comment
Question by:eskirvin
  • 4
  • 3
7 Comments
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 2000 total points
ID: 23657687
Hesllo eskirvin,
   
   class-map CONNS
        match any

     With above statement, you make the traffic mathching on which you are going to take action under policy-map. Your action under policy-map for CONNS class is to limit per-client-max connection to 24. But your traffic matches "any" traffic!
    So you have to define an ACL that traffic matching occurs on, like following

access-list limit_conn permit ip 192.168.50.0 255.255.255.0 any
    then,

class-map CONNS
       no match any
       match access-list limit_conn

Please explain issue #2 (forwarding) in detail

Regards

   
   
0
 

Author Comment

by:eskirvin
ID: 23657811
Detail for number 2 is as follows:

One of our senior level managers plays WoW, but since putting the firewall in place, he doesn't download patches as fast anymore. When I find out which port, or ports, is needed, I want to be able to forward it through the firewall for better performance. He is playing this on our morale network during his offtime which is fine. We are located in Kuwait in the middle of the desert, so morale activities are pretty important.
0
 

Author Comment

by:eskirvin
ID: 23657827
For your explanation of number 1, first, thank you very much :-) Second, is there a way to exclude single ip addresses from the match or should it be done for a range as per your explanation?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 2000 total points
ID: 23658204
static (inside,outside) tcp interface 8181 yourmanagersiphere 8181
access-list 100 permit tcp any interface outside eq 8181

Above is for your manager. And below for exclusion

access-list limit_conn deny ip host excludedhostiphere
access-list limit_conn permit ip 192.168.50.0 255.255.255.0 any

     The deny statement for exclusion most take place before the permit statement
0
 

Author Comment

by:eskirvin
ID: 23658370
Very nice! After making my post, I thought about it and did just as you said with the deny statement. For the port forwarding, what does that mean for security? If you look at the config, is there anything else you would suggest? Thank you very much for your help thus far, it is very much appreciated.
0
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 2000 total points
ID: 23658638
"For the port forwarding, what does that mean for security? "
       Now a service, or an application on your manager's computer is open to internet. That means hacker or a bot configured by hacker in internet can scan your firewall's ports, can see that 8181 is bound to an application or service that is currently listening. It is open to penetration. And if this application, say Wow Update manager, contains a vulnerabilty, hacker exploits it, and gains access to your manager's computer. That risk will exist only when that specific service or application on manager's computer is running and in listening state for port 8181. Chances are pretty low, but just in case, keep that application up-to-date, apply its patches.
      Config looks fine, but there are some extra lines as

access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable

       ASA is a statefull device that can inspect the traffic and know the originator/initiator of the traffic, and automatically allow the return traffic of it. Do the following modification

no access-list 100 extended permit icmp any any echo-reply
no access-list 100 extended permit icmp any any time-exceeded
no access-list 100 extended permit icmp any any unreachable

policy-map global_policy
    class inspection_default
         inspect icmp

Regards
0
 

Author Closing Comment

by:eskirvin
ID: 31547298
Thank you very much for your help. I appreciate you taking the time to explain your answers and provide such thorough solutions.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month11 days, 8 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question