ACL help with Cisco ASA 8.4

steno1122
steno1122 used Ask the Experts™
on
Hi Experts,
I’m having a big issue with ACL’s on a Cisco ASA running 8.4.  In a nutshell, the ACLs currently in place are causing a huge security hole.  I’m not sure how to fix it.

We need ACL’s that allow all of our DMZ servers to be able to access the Internet via ports 80 and 443.  We also have a group of FTP servers that need to connect outbound.  We added the ACL’s below which accomplishes the task.  What I just discovered is that while the DMZ servers can get to the Internet via ports 80 and 443 they can also get to any server on the internal network that has ports 80 and 443 open!!  

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq https
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq www
access-list DMZ_access_in extended permit tcp object-group FTP_Servers any range ftp-data ftp

I’ve worked a lot with versions 6 and 7 of the operating systems for the PIX and ASA but I’m new to the 8.4 world.  In older versions the ACL’s above would work perfectly.  Since the inside interface is at a higher security level traffic from the DMZ couldn’t access the internal network unless specific ACL’s and static entries were made.  By using an “any” in an ACL it would automatically send traffic outbound to the lower security interface.  In the 8.4 world it seems “any” means in any direction, both to the Internet and the internal network.  Obviously this is a huge problem and my attempts thus far to fix it haven’t worked.

I’ve tried the ACL below but it doesn’t work.  The DMZ servers can’t access anything on the Internet via port 80

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers interface outside eq www

Could someone tell me what I am doing wrong?  I just want the traffic to go out, not in.  The security level of the inside interface is obviously 100. The DMZ is set for 50.  I have no idea why this traffic is able to access the internal network.  HELP!

Thanks for any assistance.


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Robert Sutton JrSenior Network Manager

Commented:
Can you post a sanitized copy of your current running config?

And with the latter of your acl's above, Im assuming you're missing the following:

access-group DMZ_access_in in interface outside
Top Expert 2011

Commented:
Where did you apply these access-lists?

Communication from DMZ (security level 50) to Outside (security level 0) is allowed by default (from a higher level to lower) and you dont need to configure access-lists to enable Internet access. All you need is NAT, and thats it.

If you applied these access-lists to your DMZ interface, then it would allow communication from DMZ to Inside (security level 100), from lower level security interface to higher. By default such traffic is blocked, but you have access-lists to permit it.

Author

Commented:
Hi Warlock,
Thanks for the quick reply.  The following access-group entries are in the config

ccess-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside

Everything is working except for the big security hole caused by the ACL.  I ran the Packet Tracer tool it it is specifically using the ACL's mentioned in my first post to access the internal network.

I would prefer to post snippets of the config instead of the whole thing.  The config is huge and it would take me quite a while to sanitize it.  Also, I know there are co-workers that use Experts-Exchange and I'd rather they don't see the config on-line or know of this problem just yet.  We have been running the 8.4 version for about a month.  While I'm not the only one in charge of the firewalls I could certainly see losing my job over this (and maybe I should).  Regardless of what happens, I need to get this fixed ASAP.  If there are specific areas of the config you would like to see then let me know and I'll post them.

Thanks!
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
fqasimzade,,

We use ACLs to control outbound traffic.  We only want the servers to access the internet via ports 80 and 443.  All other outbound traffic is blocked.

As I previously mentioned, I'm used to the older PIX/ASA versions where the ACLs in my initial post worked perfectly.

Is there a way to restrict outbound traffic in 8.4 without using ACLs?

Thanks!

Top Expert 2011

Commented:
Well, your access-list applied to DMZ interface does permit communication to Inside hosts and it has nothing to do with permitting DMZ hosts to the outside world.

Author

Commented:
fqasimzade,

So are you are saying the fix is the same as what Warlock mentioned and change the access-group from

access-group DMZ_access_in in interface DMZ
to
access-group DMZ_access_in in interface outside

Will the dozens of ACLs that are currently in place to allow traffic from the DMZ to specific hosts/ports in the internal network be unaffected by this change?

Robert Sutton JrSenior Network Manager

Commented:
Ok, then please post the DMZ interface segment, all associated DMZ ACL's, the access-group entries.
It would help us help you better if you could post the entire config in a text file back here since we truly cannot understand what your inside net looks like or the acl's associated with it. And, the nat'ng that attributes it. Do you have static nat's in place for your DMZ(IE: (DMZ,Outside)?
Top Expert 2011

Commented:
No, no, look, if you need to allow traffic from DMZ to Inside hosts, you write an access-list to permit a host from DMZ to Inside an apply it to your DMZ interface. You have to do it because your DMZ interface security level is lower than Inside. For example, if you need to allow traffic from Inside to DMZ, you need to do nothing because traffic from higher level interface to lower level is allowed by default.

If you remove these lines:

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq https
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq www
access-list DMZ_access_in extended permit tcp object-group FTP_Servers any range ftp-data ftp


and check, you would still have access to the internet (in case you dont have deny any any in DMZ_access_in) and no access to Inside

Author

Commented:
fqasimzade,
I understand that removing the entries will allow the servers to access the Internet but we need to restrict what the servers can access outbound.  The servers can only access http and https outbound, that's it.  Removing the ACL's would resolve the inbound security issue but it won't restrict outbound communication which is a requirement.  This was super simple in versions prior to 8.3.  I don't know why it is more difficult now.

Warlock,
I'll see what I can do to give you sanitized version of the DMZ interface segment.
Top Expert 2011

Commented:
Oh, I see now. You can configure access lists to deny inbound communication as well, can either add statements to existing dmz-access-in access-list with deny statements or add deny statements to iinside-access-in

Author

Commented:
fqasimzade,
Sorry to be a pain but could you give me an example of using deny statements with the ACL's in my initial post?  

The ASA should implicitly deny any traffic that isn't specifically permitted via an ACL.  I would assume there should be a way to use the same ACLs but not allow the traffic back to the internal network.  Again, all of my knowledge is prior to 8.3.  I've been reading Cisco's 8.4 guide but it isn't much help.
Top Expert 2011
Commented:
well, it would be something like this
 access-list Dmz_access_in extended deny tcp object-group Dmz-servers 192.168.1.0 255.255.255.0 eq www, where 192.168.1.0 is your inside network.
also make sure this line comes before your permit statements. If you want to deny all traffic, not just www, edit the line accordingly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial