Solved

Configuration advise on ASA 5510

Posted on 2010-11-19
11
341 Views
Last Modified: 2012-05-10
Hi There,

I have  purchased  ASA 5510 and currently configurating the device in a lab environment . I have a few question  please

1) When the outside interface is configured as level 0 , what ports are blocked ?

2) I have  a student vlan setup and i need to restirct them as much as i can , inclduing access to p2p applications.. Is it good practice for the student vlan to have it as security level 0 ?

3) I have setup a few access lists for the Student vlan and wanted to know if you can group them in form of object. Below are the access lists

4) Is it the best to apply  ip access-group 105 in for  student vlan ? I have attached the network diagram that i'm work on.

#################################################
access-list 105 permit udp any any range bootps bootpc
access-list 105 permit ip 10.10.50.0 0.0.0.255 host 10.10.30.2
access-list 105 permit ip 10.10.50.0 0.0.0.255 host 10.10.30.9
access-list 105 permit ip 10.10.50.0 0.0.0.255 host 10.10.30.4
access-list 105 permit ip host 10.10.50.2 any
access-list 105 permit ip host 10.10.50.5 any
access-list 105 deny tcp any any eq www log
access-list 105 deny tcp any any eq 3389
access-list 105 deny tcp any any eq 110
access-list 105 deny tcp any any eq 25
access-list 105 deny tcp any any eq telnet
access-list 105 deny tcp any any eq 5050
access-list 105 deny tcp any any eq 5190
access-list 105 deny tcp any any eq 1214
access-list 105 deny udp  any any eq 1214
access-list 105 deny tcp any any eq 4661
access-list 105 deny tcp any any eq 4672
access-list 105 deny udp any any eq 4661
access-list 105 deny udp any any eq 4662
access-list 105 deny tcp any any eq 6257
access-list 105 deny tcp any any eq 6699
access-list 105 deny udp any any eq 6257
access-list 105 deny udp any any eq 6699
access-list 105 deny udp any any eq 6346
access-list 105 deny udp any any eq 6347
access-list 105 deny udp any any eq 6348
access-list 105 deny tcp any any eq 6346
access-list 105 deny tcp any any eq 6347
access-list 105 deny tcp any any eq 6348
#################################################



Many Thanks

Network.pdf
0
Comment
Question by:MCP200
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34178805
1) By default all traffic is blocked from a higher security level to a lower. So inbound from a security 0 interface everything is blocked until you apply an access-list. Then that access-list controls what is allowed and not.

2) the most common solution is to have security0 on internet, which is normally the least secure interface. But the digit is not that important since nowadays everybody applies access lists on all interfaces and then the security level doesnt control what is allowed and not any more.

3) You can delete all denies because there is always an implicit (invisible) deny any any at the end of all access lists. If it isnt allowed it is denied.

best regards
Kvistofta
0
 

Author Comment

by:MCP200
ID: 34178945
Thanks for the prompt reply,

In relation to your response with regards to Q3,
i understand by default there is  implicit (invisible) deny any any at the end of all access list but what if your trying to block certain subnet from inside to another subnet in the the network ? surely the the above acl will be needed ?

Many Thanks



0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34179271
Yes. Let me re-phrase myself. If your acl consist of first a bunch of permits, and then a bunch of denies, your denies are unnessecary.

Lets say that you have a dmz with an inbound acl. If you wanna just permit that dmz to go out to a specific host on either another "inside" interface or on internet, you would simply do:

permit tcp any host 1.2.3.4 eq 80

Everything else except ww-traffic to 1.2.3.4 will be denied by the implicit deny. If you instead want to allow the dmz to www to internet but not to your internal host you need to do like this:

deny tcp any <your internal net> eq 80
permit tcp any any eq 80

Acl:s like these needs to be built with the most specific/granular statements in the beginning, and the broader catch-all statements at the end.

Lets say that your dmz need to be able to browse to one single host on inside but not the rest of that inside network. Still it needs to be allowed to browse to internet:

permit tcp any <inside web-server> eq 80
deny tcp any <inside network> eq 80
permit tcp any any eq 80
(and an implicit deny ip any any)

Another way to put it: as soon as you deny anything (except the implicit deny) anywhere in your acl, the ordering is highly important. If you only specifiy permit-statements, the ordering is irrellevant because either will a packet be permitted by any of the permits or it will hit the implicit deny.

Does it make sense or am I just confusing you?

/Kvistofta
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:MCP200
ID: 34179327
Kvistofta thanks for the reply,

I think i understand what you mean. for example

If i want to deny rdp from student vlan  i would do this

access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 3389
access-list 105 permit tcp any any eq 3389

would you apply it inbound or outbound?

Sorry i'm rusty when it comes to ACLS

Thanks
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34179340
Yes, you are right.

If you apply them inbound or outbound doesnt really matter. But for cimplicity I try to always apply acl:s inbound on each interface. I think it is the most common way to do it.

/Kvistofta
0
 

Author Comment

by:MCP200
ID: 34179379
Kvistofta,

So this means for every deny statement it must end with a permit statement

For example


access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 5050
access-list 105 permit tcp any any eq 5050

access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 21
access-list 105 permit tcp any any eq 21


Do you have any recommedation in terms of port blocking for student network to the internet .


I'll setup some acls in the lab and see how i go.



Much appreciated


0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34179437
Not neccessary. your example above can be rearranged like this:

object-group service ALLOWED-PORTS-tcp tcp
 group-object eq 80
 group-object eq 443
!

access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 5050
access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 21
access-list 105 permit tcp any any object-group ALLOWED-PORTS-tcp

When you say "must", I would rather say "it is most common to". Remember, most specific on top, general lines at the end. If any two acl-lines doesnt have anything in common (source, destination, protocol) their order in relation to each other doesnt matter.

Regarding port blocking for students to internet you need to first get a legal policy for usage. Which ports to block is not a technical question but a political desicion. In my part of the world (Sweden) students expect any internet connection to be totally unfiltered. But I know that other here would say that you must for example block outgoing SMTP. I try to stay out of political/ethical questions and stick to the technologies. :-)

/Kvistofta


/Kvistofta
0
 

Author Comment

by:MCP200
ID: 34181567
Hi Kvistofta,


I tested the below acl in my test lab and i applied the acl inbound.
I was still able to rdp to the another pc in the 10.10.50.0 network. does it mean it wont block rdp from same source subnet and only other destinations?


access-list 105 deny tcp 10.10.50.0 0.0.0.255 any eq 3389
access-list 105 permit tcp any any eq 3389


Thanks Mate
0
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 34182162
Traffic between two hosts in the same subnet goes directly from host to host without touching any router (in your case the firewall). This is one of the fundamentals of tcp/ip and if you need to protect traffic between hosts there are numberous of solutions for that, but all of them require some kind of topology change in your network.

/Kvistofta
0
 

Author Comment

by:MCP200
ID: 34182356
Thanks mate  ,

Kvistofta one more thing , if your setting up site to site between to sites using asa's does it require special ccinfiguration to allow the remote site to access the HQ site.?

In 1841 series  routers  to be able to ping devices on different subnets , i had to specify "zone-member security in-zone  "to be able ping devices  from the other site, Does the same thing apply with asa ?

Also can i  post questios directly to you ?

Many Thanks

0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 34182379
This is a completely different question. Close this and open a new one and you will get help.

/Kvistofta
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question