Solved

ACL help with Cisco ASA 8.4

Posted on 2011-09-02
12
995 Views
Last Modified: 2012-05-12
Hi Experts,
I’m having a big issue with ACL’s on a Cisco ASA running 8.4.  In a nutshell, the ACLs currently in place are causing a huge security hole.  I’m not sure how to fix it.

We need ACL’s that allow all of our DMZ servers to be able to access the Internet via ports 80 and 443.  We also have a group of FTP servers that need to connect outbound.  We added the ACL’s below which accomplishes the task.  What I just discovered is that while the DMZ servers can get to the Internet via ports 80 and 443 they can also get to any server on the internal network that has ports 80 and 443 open!!  

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq https
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq www
access-list DMZ_access_in extended permit tcp object-group FTP_Servers any range ftp-data ftp

I’ve worked a lot with versions 6 and 7 of the operating systems for the PIX and ASA but I’m new to the 8.4 world.  In older versions the ACL’s above would work perfectly.  Since the inside interface is at a higher security level traffic from the DMZ couldn’t access the internal network unless specific ACL’s and static entries were made.  By using an “any” in an ACL it would automatically send traffic outbound to the lower security interface.  In the 8.4 world it seems “any” means in any direction, both to the Internet and the internal network.  Obviously this is a huge problem and my attempts thus far to fix it haven’t worked.

I’ve tried the ACL below but it doesn’t work.  The DMZ servers can’t access anything on the Internet via port 80

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers interface outside eq www

Could someone tell me what I am doing wrong?  I just want the traffic to go out, not in.  The security level of the inside interface is obviously 100. The DMZ is set for 50.  I have no idea why this traffic is able to access the internal network.  HELP!

Thanks for any assistance.


0
Comment
Question by:steno1122
  • 5
  • 5
  • 2
12 Comments
 
LVL 15

Expert Comment

by:The_Warlock
ID: 36472891
Can you post a sanitized copy of your current running config?

And with the latter of your acl's above, Im assuming you're missing the following:

access-group DMZ_access_in in interface outside
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36472914
Where did you apply these access-lists?

Communication from DMZ (security level 50) to Outside (security level 0) is allowed by default (from a higher level to lower) and you dont need to configure access-lists to enable Internet access. All you need is NAT, and thats it.

If you applied these access-lists to your DMZ interface, then it would allow communication from DMZ to Inside (security level 100), from lower level security interface to higher. By default such traffic is blocked, but you have access-lists to permit it.
0
 

Author Comment

by:steno1122
ID: 36472942
Hi Warlock,
Thanks for the quick reply.  The following access-group entries are in the config

ccess-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside

Everything is working except for the big security hole caused by the ACL.  I ran the Packet Tracer tool it it is specifically using the ACL's mentioned in my first post to access the internal network.

I would prefer to post snippets of the config instead of the whole thing.  The config is huge and it would take me quite a while to sanitize it.  Also, I know there are co-workers that use Experts-Exchange and I'd rather they don't see the config on-line or know of this problem just yet.  We have been running the 8.4 version for about a month.  While I'm not the only one in charge of the firewalls I could certainly see losing my job over this (and maybe I should).  Regardless of what happens, I need to get this fixed ASAP.  If there are specific areas of the config you would like to see then let me know and I'll post them.

Thanks!
0
 

Author Comment

by:steno1122
ID: 36472961
fqasimzade,,

We use ACLs to control outbound traffic.  We only want the servers to access the internet via ports 80 and 443.  All other outbound traffic is blocked.

As I previously mentioned, I'm used to the older PIX/ASA versions where the ACLs in my initial post worked perfectly.

Is there a way to restrict outbound traffic in 8.4 without using ACLs?

Thanks!

0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36472978
Well, your access-list applied to DMZ interface does permit communication to Inside hosts and it has nothing to do with permitting DMZ hosts to the outside world.
0
 

Author Comment

by:steno1122
ID: 36473023
fqasimzade,

So are you are saying the fix is the same as what Warlock mentioned and change the access-group from

access-group DMZ_access_in in interface DMZ
to
access-group DMZ_access_in in interface outside

Will the dozens of ACLs that are currently in place to allow traffic from the DMZ to specific hosts/ports in the internal network be unaffected by this change?

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 15

Expert Comment

by:The_Warlock
ID: 36473051
Ok, then please post the DMZ interface segment, all associated DMZ ACL's, the access-group entries.
It would help us help you better if you could post the entire config in a text file back here since we truly cannot understand what your inside net looks like or the acl's associated with it. And, the nat'ng that attributes it. Do you have static nat's in place for your DMZ(IE: (DMZ,Outside)?
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36473061
No, no, look, if you need to allow traffic from DMZ to Inside hosts, you write an access-list to permit a host from DMZ to Inside an apply it to your DMZ interface. You have to do it because your DMZ interface security level is lower than Inside. For example, if you need to allow traffic from Inside to DMZ, you need to do nothing because traffic from higher level interface to lower level is allowed by default.

If you remove these lines:

access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq https
access-list DMZ_access_in extended permit tcp object-group DMZ_Servers any eq www
access-list DMZ_access_in extended permit tcp object-group FTP_Servers any range ftp-data ftp


and check, you would still have access to the internet (in case you dont have deny any any in DMZ_access_in) and no access to Inside
0
 

Author Comment

by:steno1122
ID: 36473114
fqasimzade,
I understand that removing the entries will allow the servers to access the Internet but we need to restrict what the servers can access outbound.  The servers can only access http and https outbound, that's it.  Removing the ACL's would resolve the inbound security issue but it won't restrict outbound communication which is a requirement.  This was super simple in versions prior to 8.3.  I don't know why it is more difficult now.

Warlock,
I'll see what I can do to give you sanitized version of the DMZ interface segment.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36473138
Oh, I see now. You can configure access lists to deny inbound communication as well, can either add statements to existing dmz-access-in access-list with deny statements or add deny statements to iinside-access-in
0
 

Author Comment

by:steno1122
ID: 36473187
fqasimzade,
Sorry to be a pain but could you give me an example of using deny statements with the ACL's in my initial post?  

The ASA should implicitly deny any traffic that isn't specifically permitted via an ACL.  I would assume there should be a way to use the same ACLs but not allow the traffic back to the internal network.  Again, all of my knowledge is prior to 8.3.  I've been reading Cisco's 8.4 guide but it isn't much help.
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 36473411
well, it would be something like this
 access-list Dmz_access_in extended deny tcp object-group Dmz-servers 192.168.1.0 255.255.255.0 eq www, where 192.168.1.0 is your inside network.
also make sure this line comes before your permit statements. If you want to deny all traffic, not just www, edit the line accordingly.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now