Solved

Cisco ASA 5510 Firewall Rules

Posted on 2009-04-06
6
1,303 Views
Last Modified: 2013-11-22
I have a Cisco 5510 firewall and need some advice on configuration. I have plenty of protection for outside coming in, but only the two implicit default rules for inside going out.  I played around with blocking IP addresses from accessing the internet and succeeded, but obviously the implicit rules go away and I need to create an allow any any in order for it to work. Is the allow any any the SAME as the implicit allow any to any lesser secured network?  I would love to block a whole chunk of IP's from accessing the outside world, but I don't want to create security holes in the process.  Also, what are some ideas for other rules for my users going to the outside world. It seems like having these two default rules still won't protect a user from establishing a cummunication to an unwanted source.  One last question, there is an option for direction for each inside and outside rule sets, could I have an example in which you would utilize this?
0
Comment
Question by:dennisjameshoward
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24076761
The "permit ip any any" is the same as the implicit permit any.  They both provide the same functionality.

>Also, what are some ideas for other rules for my users going to the outside world. It seems like having these two default rules still won't protect a user from establishing a cummunication to an unwanted source.

I prefer to whitelist certain ports that users are allowed to access.  This should help against P2P and other applications that are undesired.  Adding a proxy server with content filtering is a nice addition to protect users from visiting malicious sites but this is in addition to the Firewall itself.

>One last question, there is an option for direction for each inside and outside rule sets, could I have an example in which you would utilize this?

You could apply an access-list outbound on the inside interface if you had a number of DMZ's on the Firewall and wanted to add a second level of protection from DMZ to inside.

For example:

If you allowed your DMZ hosts HTTP access to "any" destination, this would allow HTTP to the inside hosts as well from the DMZ.  You can make sure you put a deny to the inside subnets prior to the HTTP any rule in the DMZ access-list or you can use the outbound list on the inside to negate "misconfigurations".
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24079282
Jfred - I'd like to add a couple of things, sorry if it steps on your answer.

dennis -
In regards to the in and out rules, in your example, the traffic from DMZ to Inside would be denied implicitly, if, the security level on the Inside is higher than that of the DMZ.  In that case, an inbound rule would have to be set on the Inside interface to allow the traffic in.  The reasoning for in and outbound rules you list I agree with but the use is more intentional, conditioned on the security level of the interfaces interacting.  Each ruleset (inside/outside/dmz and in/out) is applied independently without regard to any previous rules the traffic may have encountered.  The caveat, any any rules work best with traffic moving from a higher interface to a lower and are best left out of the mix when moving from lower to higher.

Beyond this, when looking at your rulesets approach them from the perspective of using inbound rules to deny traffic being unnecessarily processed.  In other words, identify the objects/ports/protocols that you want to allow and then kill everything else with deny any any log.  This way, what has to go can and what isn't going is killed prior to being processed.  The logging will help you with troubleshooting.  Regarding the interface out rules, use these as your filters/leak guards and traffic controls in response to any any or broad allow statements on other, higher security levelled interfaces.

Beyond this, utilizing the proxy can be a good idea, however, it may be worthwhile to consider licensing the content filtering abilities on the ASA itself.  Another item of interest I have seen recently is OpenDNS, a free DNS service which you can sub in for your outside/ISP resolvers.  You may want to check this out as well and see if it will work for you.

Hope it helps

Cheers
0
 

Author Comment

by:dennisjameshoward
ID: 24086604
So basically if I were to deny one ip address and allow any any,  this will be the EXACTLY same as the implicit allow to any lesser network, BUT with this one blocked IP?
0
Scamming the Scammers!

Have you ever heard of Scam Baiting?
It's a highly entertaining sport that you can participate in.
Introduction to beating scammers at their own game and how you can help
Share your thoughts, ideas and experiences on the topic.
Links to top Anti-Scam resources provided.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24086663
Yes.  Correct.
0
 

Author Comment

by:dennisjameshoward
ID: 24086854
Thanks,  it made me nervous because testing this, I saw tons of hits for the allow any any rule, and before with the implicit i saw none.  The hits must not show for the default, but they ARE really there
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24086947
Correct again.  You will see hits on the explicit permit ip any any rule but they aren't visible for the implicit permit rule.  Functionally they are the same.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question