Solved

ACL help with Cisco ASA 8.4

Posted on 2011-09-02
12
1,000 Views
Last Modified: 2012-05-12
Hi Experts,
I’m having a big issue with ACL’s on a Cisco ASA running 8.4.  In a nutshell, the ACLs currently in place are causing a huge security hole.  I’m not sure how to fix it.

We need ACL’s that allow all of our DMZ servers to be able to access the Internet via ports 80 and 443.  We also have a group of FTP servers that need to connect outbound.  We added the ACL’s below which accomplishes the task.  What I just discovered is that while the DMZ servers can get to the Internet via ports 80 and 443 they can also get to any server on the internal network that has ports 80 and 443 open!!  

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq https
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq www
access-list DMZ_access_in extended permit tcp object-group FTP_Servers any range ftp-data ftp

I’ve worked a lot with versions 6 and 7 of the operating systems for the PIX and ASA but I’m new to the 8.4 world.  In older versions the ACL’s above would work perfectly.  Since the inside interface is at a higher security level traffic from the DMZ couldn’t access the internal network unless specific ACL’s and static entries were made.  By using an “any” in an ACL it would automatically send traffic outbound to the lower security interface.  In the 8.4 world it seems “any” means in any direction, both to the Internet and the internal network.  Obviously this is a huge problem and my attempts thus far to fix it haven’t worked.

I’ve tried the ACL below but it doesn’t work.  The DMZ servers can’t access anything on the Internet via port 80

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers interface outside eq www

Could someone tell me what I am doing wrong?  I just want the traffic to go out, not in.  The security level of the inside interface is obviously 100. The DMZ is set for 50.  I have no idea why this traffic is able to access the internal network.  HELP!

Thanks for any assistance.


0
Comment
Question by:steno1122
  • 5
  • 5
  • 2
12 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36472891
Can you post a sanitized copy of your current running config?

And with the latter of your acl's above, Im assuming you're missing the following:

access-group DMZ_access_in in interface outside
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36472914
Where did you apply these access-lists?

Communication from DMZ (security level 50) to Outside (security level 0) is allowed by default (from a higher level to lower) and you dont need to configure access-lists to enable Internet access. All you need is NAT, and thats it.

If you applied these access-lists to your DMZ interface, then it would allow communication from DMZ to Inside (security level 100), from lower level security interface to higher. By default such traffic is blocked, but you have access-lists to permit it.
0
 

Author Comment

by:steno1122
ID: 36472942
Hi Warlock,
Thanks for the quick reply.  The following access-group entries are in the config

ccess-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside

Everything is working except for the big security hole caused by the ACL.  I ran the Packet Tracer tool it it is specifically using the ACL's mentioned in my first post to access the internal network.

I would prefer to post snippets of the config instead of the whole thing.  The config is huge and it would take me quite a while to sanitize it.  Also, I know there are co-workers that use Experts-Exchange and I'd rather they don't see the config on-line or know of this problem just yet.  We have been running the 8.4 version for about a month.  While I'm not the only one in charge of the firewalls I could certainly see losing my job over this (and maybe I should).  Regardless of what happens, I need to get this fixed ASAP.  If there are specific areas of the config you would like to see then let me know and I'll post them.

Thanks!
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:steno1122
ID: 36472961
fqasimzade,,

We use ACLs to control outbound traffic.  We only want the servers to access the internet via ports 80 and 443.  All other outbound traffic is blocked.

As I previously mentioned, I'm used to the older PIX/ASA versions where the ACLs in my initial post worked perfectly.

Is there a way to restrict outbound traffic in 8.4 without using ACLs?

Thanks!

0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36472978
Well, your access-list applied to DMZ interface does permit communication to Inside hosts and it has nothing to do with permitting DMZ hosts to the outside world.
0
 

Author Comment

by:steno1122
ID: 36473023
fqasimzade,

So are you are saying the fix is the same as what Warlock mentioned and change the access-group from

access-group DMZ_access_in in interface DMZ
to
access-group DMZ_access_in in interface outside

Will the dozens of ACLs that are currently in place to allow traffic from the DMZ to specific hosts/ports in the internal network be unaffected by this change?

0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36473051
Ok, then please post the DMZ interface segment, all associated DMZ ACL's, the access-group entries.
It would help us help you better if you could post the entire config in a text file back here since we truly cannot understand what your inside net looks like or the acl's associated with it. And, the nat'ng that attributes it. Do you have static nat's in place for your DMZ(IE: (DMZ,Outside)?
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36473061
No, no, look, if you need to allow traffic from DMZ to Inside hosts, you write an access-list to permit a host from DMZ to Inside an apply it to your DMZ interface. You have to do it because your DMZ interface security level is lower than Inside. For example, if you need to allow traffic from Inside to DMZ, you need to do nothing because traffic from higher level interface to lower level is allowed by default.

If you remove these lines:

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq https
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq www
access-list DMZ_access_in extended permit tcp object-group FTP_Servers any range ftp-data ftp


and check, you would still have access to the internet (in case you dont have deny any any in DMZ_access_in) and no access to Inside
0
 

Author Comment

by:steno1122
ID: 36473114
fqasimzade,
I understand that removing the entries will allow the servers to access the Internet but we need to restrict what the servers can access outbound.  The servers can only access http and https outbound, that's it.  Removing the ACL's would resolve the inbound security issue but it won't restrict outbound communication which is a requirement.  This was super simple in versions prior to 8.3.  I don't know why it is more difficult now.

Warlock,
I'll see what I can do to give you sanitized version of the DMZ interface segment.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36473138
Oh, I see now. You can configure access lists to deny inbound communication as well, can either add statements to existing dmz-access-in access-list with deny statements or add deny statements to iinside-access-in
0
 

Author Comment

by:steno1122
ID: 36473187
fqasimzade,
Sorry to be a pain but could you give me an example of using deny statements with the ACL's in my initial post?  

The ASA should implicitly deny any traffic that isn't specifically permitted via an ACL.  I would assume there should be a way to use the same ACLs but not allow the traffic back to the internal network.  Again, all of my knowledge is prior to 8.3.  I've been reading Cisco's 8.4 guide but it isn't much help.
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 36473411
well, it would be something like this
 access-list Dmz_access_in extended deny tcp object-group Dmz-servers 192.168.1.0 255.255.255.0 eq www, where 192.168.1.0 is your inside network.
also make sure this line comes before your permit statements. If you want to deny all traffic, not just www, edit the line accordingly.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SonicWALL SIP Transformation Problem 4 86
access vs trunk with voice vlan 2 44
Cisco 3800 series and WISM2 1 16
Cisco  3750E switches 1 14
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question