Solved

Configuration advise on ASA 5510

Posted on 2010-11-19
11
334 Views
Last Modified: 2012-05-10
Hi There,

I have  purchased  ASA 5510 and currently configurating the device in a lab environment . I have a few question  please

1) When the outside interface is configured as level 0 , what ports are blocked ?

2) I have  a student vlan setup and i need to restirct them as much as i can , inclduing access to p2p applications.. Is it good practice for the student vlan to have it as security level 0 ?

3) I have setup a few access lists for the Student vlan and wanted to know if you can group them in form of object. Below are the access lists

4) Is it the best to apply  ip access-group 105 in for  student vlan ? I have attached the network diagram that i'm work on.

#################################################
access-list 105 permit udp any any range bootps bootpc
access-list 105 permit ip 10.10.50.0 0.0.0.255 host 10.10.30.2
access-list 105 permit ip 10.10.50.0 0.0.0.255 host 10.10.30.9
access-list 105 permit ip 10.10.50.0 0.0.0.255 host 10.10.30.4
access-list 105 permit ip host 10.10.50.2 any
access-list 105 permit ip host 10.10.50.5 any
access-list 105 deny tcp any any eq www log
access-list 105 deny tcp any any eq 3389
access-list 105 deny tcp any any eq 110
access-list 105 deny tcp any any eq 25
access-list 105 deny tcp any any eq telnet
access-list 105 deny tcp any any eq 5050
access-list 105 deny tcp any any eq 5190
access-list 105 deny tcp any any eq 1214
access-list 105 deny udp  any any eq 1214
access-list 105 deny tcp any any eq 4661
access-list 105 deny tcp any any eq 4672
access-list 105 deny udp any any eq 4661
access-list 105 deny udp any any eq 4662
access-list 105 deny tcp any any eq 6257
access-list 105 deny tcp any any eq 6699
access-list 105 deny udp any any eq 6257
access-list 105 deny udp any any eq 6699
access-list 105 deny udp any any eq 6346
access-list 105 deny udp any any eq 6347
access-list 105 deny udp any any eq 6348
access-list 105 deny tcp any any eq 6346
access-list 105 deny tcp any any eq 6347
access-list 105 deny tcp any any eq 6348
#################################################



Many Thanks

Network.pdf
0
Comment
Question by:MCP200
  • 6
  • 5
11 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34178805
1) By default all traffic is blocked from a higher security level to a lower. So inbound from a security 0 interface everything is blocked until you apply an access-list. Then that access-list controls what is allowed and not.

2) the most common solution is to have security0 on internet, which is normally the least secure interface. But the digit is not that important since nowadays everybody applies access lists on all interfaces and then the security level doesnt control what is allowed and not any more.

3) You can delete all denies because there is always an implicit (invisible) deny any any at the end of all access lists. If it isnt allowed it is denied.

best regards
Kvistofta
0
 

Author Comment

by:MCP200
ID: 34178945
Thanks for the prompt reply,

In relation to your response with regards to Q3,
i understand by default there is  implicit (invisible) deny any any at the end of all access list but what if your trying to block certain subnet from inside to another subnet in the the network ? surely the the above acl will be needed ?

Many Thanks



0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34179271
Yes. Let me re-phrase myself. If your acl consist of first a bunch of permits, and then a bunch of denies, your denies are unnessecary.

Lets say that you have a dmz with an inbound acl. If you wanna just permit that dmz to go out to a specific host on either another "inside" interface or on internet, you would simply do:

permit tcp any host 1.2.3.4 eq 80

Everything else except ww-traffic to 1.2.3.4 will be denied by the implicit deny. If you instead want to allow the dmz to www to internet but not to your internal host you need to do like this:

deny tcp any <your internal net> eq 80
permit tcp any any eq 80

Acl:s like these needs to be built with the most specific/granular statements in the beginning, and the broader catch-all statements at the end.

Lets say that your dmz need to be able to browse to one single host on inside but not the rest of that inside network. Still it needs to be allowed to browse to internet:

permit tcp any <inside web-server> eq 80
deny tcp any <inside network> eq 80
permit tcp any any eq 80
(and an implicit deny ip any any)

Another way to put it: as soon as you deny anything (except the implicit deny) anywhere in your acl, the ordering is highly important. If you only specifiy permit-statements, the ordering is irrellevant because either will a packet be permitted by any of the permits or it will hit the implicit deny.

Does it make sense or am I just confusing you?

/Kvistofta
0
 

Author Comment

by:MCP200
ID: 34179327
Kvistofta thanks for the reply,

I think i understand what you mean. for example

If i want to deny rdp from student vlan  i would do this

access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 3389
access-list 105 permit tcp any any eq 3389

would you apply it inbound or outbound?

Sorry i'm rusty when it comes to ACLS

Thanks
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34179340
Yes, you are right.

If you apply them inbound or outbound doesnt really matter. But for cimplicity I try to always apply acl:s inbound on each interface. I think it is the most common way to do it.

/Kvistofta
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:MCP200
ID: 34179379
Kvistofta,

So this means for every deny statement it must end with a permit statement

For example


access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 5050
access-list 105 permit tcp any any eq 5050

access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 21
access-list 105 permit tcp any any eq 21


Do you have any recommedation in terms of port blocking for student network to the internet .


I'll setup some acls in the lab and see how i go.



Much appreciated


0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34179437
Not neccessary. your example above can be rearranged like this:

object-group service ALLOWED-PORTS-tcp tcp
 group-object eq 80
 group-object eq 443
!

access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 5050
access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 21
access-list 105 permit tcp any any object-group ALLOWED-PORTS-tcp

When you say "must", I would rather say "it is most common to". Remember, most specific on top, general lines at the end. If any two acl-lines doesnt have anything in common (source, destination, protocol) their order in relation to each other doesnt matter.

Regarding port blocking for students to internet you need to first get a legal policy for usage. Which ports to block is not a technical question but a political desicion. In my part of the world (Sweden) students expect any internet connection to be totally unfiltered. But I know that other here would say that you must for example block outgoing SMTP. I try to stay out of political/ethical questions and stick to the technologies. :-)

/Kvistofta


/Kvistofta
0
 

Author Comment

by:MCP200
ID: 34181567
Hi Kvistofta,


I tested the below acl in my test lab and i applied the acl inbound.
I was still able to rdp to the another pc in the 10.10.50.0 network. does it mean it wont block rdp from same source subnet and only other destinations?


access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 3389
access-list 105 permit tcp any any eq 3389


Thanks Mate
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 34182162
Traffic between two hosts in the same subnet goes directly from host to host without touching any router (in your case the firewall). This is one of the fundamentals of tcp/ip and if you need to protect traffic between hosts there are numberous of solutions for that, but all of them require some kind of topology change in your network.

/Kvistofta
0
 

Author Comment

by:MCP200
ID: 34182356
Thanks mate  ,

Kvistofta one more thing , if your setting up site to site between to sites using asa's does it require special ccinfiguration to allow the remote site to access the HQ site.?

In 1841 series  routers  to be able to ping devices on different subnets , i had to specify "zone-member security in-zone  "to be able ping devices  from the other site, Does the same thing apply with asa ?

Also can i  post questios directly to you ?

Many Thanks

0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34182379
This is a completely different question. Close this and open a new one and you will get help.

/Kvistofta
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now