We help IT Professionals succeed at work.

ASA 5510, Policy Maps, Class Maps, and Access-Lists!

eskirvin
eskirvin asked
on
Medium Priority
1,272 Views
Last Modified: 2012-05-06
I'd like to fine tune my company's ASA5510 a bit, but I am not very familiar with policy maps, class maps, or ACLs. I've attached my configuration below. The IP addresses have been massaged a bit, but I should be able to follow any instructions after decrypting the comments. I'd like to accomplish the following things:

1) I've limited the numbers of connections per client to 24 to combat torrents, but I only want that limit to occur on half of my subnet, 192.168.50.4 - .255, and not on the rest of it from 192.168.51.0 - .255, with a network of 192.168.50.0/23. The idea is that I'll assign problem users the earlier IP addresses, with non-offenders in the upper ranges. If I can see the concept, I'll manipulate it to suit my actual circumstances.

2) If I have a user, or users, that needs a particular port, 8181 for example, how do I forward that through the firewall if port 8181 is needed for communication with a patch server?

3) Please look over the config and offer any suggestions for improvements. We do have problems with email attachments at times, of which I have heard rumors that some type of ICMP might be at fault.
hostname xxxx-xxxx
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 description Outside Interface to Public Network, Gateway = 34.74.67.254
 nameif Public
 security-level 0
 ip address 34.74.67.1 255.255.255.252
!
interface Ethernet0/1
 description Inside Interface to Private Network
 nameif Private
 security-level 50
 ip address 192.168.50.1 255.255.254.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
clock timezone AST 3
dns domain-lookup Public
dns domain-lookup Private
dns server-group DefaultDNS
 name-server xxx.xxx.xxx.xxx
 name-server xxx.xxx.xxx.xxx
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list www_traffic extended permit tcp any any eq www
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu Public 1500
mtu Private 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (Public) 1 interface
nat (Private) 1 192.168.50.0 255.255.254.0
access-group 100 in interface Public
route Public 0.0.0.0 0.0.0.0 34.74.67.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
url-server (Private) vendor websense host 192.168.50.2 timeout 30 protocol TCP v
ersion 4 connections 30
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dhcpd ping_timeout 750
!
dhcpd address 192.168.51.0-192.168.51.254 Private
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface Private
dhcpd enable Private
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map CONNS
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
 class CONNS
  set connection per-client-max 24
  set connection timeout tcp 0:15:00 dcd
!
service-policy global_policy global

Open in new window

Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007
Commented:
Hesllo eskirvin,
   
   class-map CONNS
        match any

     With above statement, you make the traffic mathching on which you are going to take action under policy-map. Your action under policy-map for CONNS class is to limit per-client-max connection to 24. But your traffic matches "any" traffic!
    So you have to define an ACL that traffic matching occurs on, like following

access-list limit_conn permit ip 192.168.50.0 255.255.255.0 any
    then,

class-map CONNS
       no match any
       match access-list limit_conn

Please explain issue #2 (forwarding) in detail

Regards

   
   

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Detail for number 2 is as follows:

One of our senior level managers plays WoW, but since putting the firewall in place, he doesn't download patches as fast anymore. When I find out which port, or ports, is needed, I want to be able to forward it through the firewall for better performance. He is playing this on our morale network during his offtime which is fine. We are located in Kuwait in the middle of the desert, so morale activities are pretty important.

Author

Commented:
For your explanation of number 1, first, thank you very much :-) Second, is there a way to exclude single ip addresses from the match or should it be done for a range as per your explanation?
CERTIFIED EXPERT
Top Expert 2007
Commented:
static (inside,outside) tcp interface 8181 yourmanagersiphere 8181
access-list 100 permit tcp any interface outside eq 8181

Above is for your manager. And below for exclusion

access-list limit_conn deny ip host excludedhostiphere
access-list limit_conn permit ip 192.168.50.0 255.255.255.0 any

     The deny statement for exclusion most take place before the permit statement

Author

Commented:
Very nice! After making my post, I thought about it and did just as you said with the deny statement. For the port forwarding, what does that mean for security? If you look at the config, is there anything else you would suggest? Thank you very much for your help thus far, it is very much appreciated.
CERTIFIED EXPERT
Top Expert 2007
Commented:
"For the port forwarding, what does that mean for security? "
       Now a service, or an application on your manager's computer is open to internet. That means hacker or a bot configured by hacker in internet can scan your firewall's ports, can see that 8181 is bound to an application or service that is currently listening. It is open to penetration. And if this application, say Wow Update manager, contains a vulnerabilty, hacker exploits it, and gains access to your manager's computer. That risk will exist only when that specific service or application on manager's computer is running and in listening state for port 8181. Chances are pretty low, but just in case, keep that application up-to-date, apply its patches.
      Config looks fine, but there are some extra lines as

access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable

       ASA is a statefull device that can inspect the traffic and know the originator/initiator of the traffic, and automatically allow the return traffic of it. Do the following modification

no access-list 100 extended permit icmp any any echo-reply
no access-list 100 extended permit icmp any any time-exceeded
no access-list 100 extended permit icmp any any unreachable

policy-map global_policy
    class inspection_default
         inspect icmp

Regards

Author

Commented:
Thank you very much for your help. I appreciate you taking the time to explain your answers and provide such thorough solutions.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.