Solved

ASA command help

Posted on 2013-05-13
13
336 Views
Last Modified: 2013-05-16
Hello,

So, a client's manager visited a sec con, and has now seen the light - he wants to block all traffic out of anywhere that's destined for them, and only allow US traffic. They've got ASA 5520s.

A little rusty in my ASA commands and logic, so asking the dumb questions...

Created the USA IP blocks list at www.countryipblocks.net (Yes, I realize that I have to keep checking and updating that list) and am planning on implementing the proper ACLs on the ASA. Thought I'd run it by the experts before I accidentally shoot myself in the foot.

So, I create an object group with the ~44k IPs from the list above.

object-group network USA-IPs
network-object ….1

network-object ….43531
exit

Then, I apply this ACL to only permit traffic from the USA-IPs group and deny the rest.

access-list OutsideACL permit ip object-group USA-IPs any
access-list OutsideACL deny ip any any

So far so good? Ok. Then:
1. Should I do anything else?
2. Did I break anything?
3. What happens to the close to 400 ACLS already in place? They don't refernence anything out of the USA-IPs list.

Any help and/or guidance (in doing the right thing) will be appreciated.

Thanks.
0
Comment
Question by:netcmh
  • 7
  • 6
13 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39161123
it doesn't affect them.  each ACL can be used in a different way; e.g. NAT, VPN, QoS, etc.  However in most of the other cases it should be even more restrictive in nature.  So I would audit the other ACLs to see how they are used and if so I would create the necessary rules at the beginning of the ACL you need to modify.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39161175
Meaning?

I'm sorry, but I'm not very well versed in managing an ASA... yet. :)
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39161278
np.  keep asking if I'm still unclear.  will try another way to make it clearer.

each ACL, access control list, is just a list of ACEs, access control entries.  An ACE is just a statement that is used to see if a packet matches the defined statement or not.  In your case you are looking at the source IP address and seeing if it matches anything in the US IPs object group you created.  in the ACE, you also define some action (permit or deny).   So you identify the traffic you want to match and determine the action to apply to that packet.  An ACL will start at the top of hte list and work its way down.  Once a match is found it uses that action.  If no match is found and it went thru the entire ACL, then it will use the deny action (aka the implicit deny rule that is at the bottom of every ACL created).

now comes the tricky part.  An ACL just identifies traffic and determines the action.  What that action actually means depends on how it is used.  So if you apply an ACL to an interface, it means that permit and deny is whether a packet is allowed to go thru the interface or not.  If applied to NAT (network address translation) that means the packet information can get translated (permit) or not (deny).  QoS (quality of service) it means quality of service is applied to the packet (permit) or it isn't (deny).  So where an ACL is applied determined the meaning of the actions permit and deny.

This is why I say it depends on how the other ACLs are used.  As to what I meant by more restrictive, I just mean that fewer packets are expected to match an ACE with a permit action and more is meant to match the implicit deny rule/action.  so you'd need to look at each ACL and see if the ACEs are written in a way to "permit" traffic for whatever purpose its used for.  if it is then you may need to add some lines in the ACL to make it more restrictive to adhere to your need to block any non-US traffic.

hope this explains it better.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39162770
So, let me see if I got this right.

I have these configured on one of the test boxes:

access-list OutsideIn extended permit tcp any host <SERVER> eq ssh
access-list OutsideIn extended permit tcp any host <SERVER> eq www
access-list OutsideIn extended permit tcp any host <SERVER> eq ftp
access-list OutsideIn extended permit tcp any host <SERVER> eq https
access-list OutsideIn extended permit tcp any host <SERVER> eq smtp
access-list OutsideIn extended permit tcp any host ServicePubIP eq https
access-list OutsideIn extended permit tcp object-group BServers host <SERVER> eq 3101
access-list OutsideIn extended permit tcp any host <ASA_EXT_IP> eq https
access-list OutsideIn extended permit icmp any host <SERVER>
access-list OutsideIn extended permit udp host ContractorIP host <SERVER> eq isakmp
access-list OutsideIn extended permit esp host ContractorIP host <SERVER>
access-list OutsideIn extended permit tcp host 108.X.X.X host <SERVER> eq ssh
access-list OutsideIn extended permit ip host 159.X.X.1 host <SERVER>
access-list OutsideIn extended permit ip host 169.X.X.1 host <SERVER>
access-list OutsideIn extended permit ip host 159.X.X.2 host <SERVER>
access-list OutsideIn extended permit ip host 159.X.X.3 host <SERVER>
access-list OutsideIn extended permit ip host 169.X.X.2 host <SERVER>
access-list OutsideIn extended permit ip host 169.X.X.3 host <SERVER>
access-list OutsideIn extended deny ip any any

So, all I do is this?

no access-list OutsideIn extended deny ip any any
access-list OutsideIn permit ip object-group USA-IPs any
access-list OutsideIn deny ip any any

& then, apply it to the interface?

access-group OutsideIn in interface outside

Your expert guidance is appreciated.

Thanks
0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 500 total points
ID: 39163296
not quite, if you do that, you'll still have higher up ACEs that will be processed first that match the source of "any" to certain services.  you need to redo those with the "object-group USA-IPs" source.  this should be used for any ACE that has an any for the source.

also, unless you want to perform accounting for the deny ip any any ACE, you can actually leave it off.  by default, if no ACE is matched, the packet being analyzed will automatically match the implicit deny rule and be denied.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39164377
Thank you for both those points. I'm begining to grasp the idea.

So, to recap, during an outage/maintenance window:

no access-list OutsideIn extended permit tcp any host <SERVER> eq ssh
no access-list OutsideIn extended permit tcp any host <SERVER> eq www
no access-list OutsideIn extended permit tcp any host <SERVER> eq ftp
no access-list OutsideIn extended permit tcp any host <SERVER> eq https
no access-list OutsideIn extended permit tcp any host <SERVER> eq smtp
no access-list OutsideIn extended permit tcp any host ServicePubIP eq https
no access-list OutsideIn extended permit tcp object-group BServers host <SERVER> eq 3101
no access-list OutsideIn extended permit tcp any host <ASA_EXT_IP> eq https
no access-list OutsideIn extended permit icmp any host <SERVER>
no access-list OutsideIn extended permit udp host ContractorIP host <SERVER> eq isakmp
no access-list OutsideIn extended permit esp host ContractorIP host <SERVER>
no access-list OutsideIn extended permit tcp host 108.X.X.X host <SERVER> eq ssh
no access-list OutsideIn extended permit ip host 159.X.X.1 host <SERVER>
no access-list OutsideIn extended permit ip host 169.X.X.1 host <SERVER>
no access-list OutsideIn extended permit ip host 159.X.X.2 host <SERVER>
no access-list OutsideIn extended permit ip host 159.X.X.3 host <SERVER>
no access-list OutsideIn extended permit ip host 169.X.X.2 host <SERVER>
no access-list OutsideIn extended permit ip host 169.X.X.3 host <SERVER>
no access-list OutsideIn extended deny ip any any

access-list OutsideIn extended permit tcp object-group USA-IPs host <SERVER> eq ssh
access-list OutsideIn extended permit tcp object-group USA-IPs host <SERVER> eq www
access-list OutsideIn extended permit tcp object-group USA-IPs host <SERVER> eq ftp
access-list OutsideIn extended permit tcp object-group USA-IPs host <SERVER> eq https
access-list OutsideIn extended permit tcp object-group USA-IPs host <SERVER> eq smtp
access-list OutsideIn extended permit tcp object-group USA-IPs host ServicePubIP eq https
access-list OutsideIn extended permit tcp object-group BServers host <SERVER> eq 3101
access-list OutsideIn extended permit tcp object-group USA-IPs host <ASA_EXT_IP> eq https
access-list OutsideIn extended permit icmp object-group USA-IPs host <SERVER>
access-list OutsideIn extended permit udp host ContractorIP host <SERVER> eq isakmp
access-list OutsideIn extended permit esp host ContractorIP host <SERVER>
access-list OutsideIn extended permit tcp host 108.X.X.X host <SERVER> eq ssh
access-list OutsideIn extended permit ip host 159.X.X.1 host <SERVER>
access-list OutsideIn extended permit ip host 169.X.X.1 host <SERVER>
access-list OutsideIn extended permit ip host 159.X.X.2 host <SERVER>
access-list OutsideIn extended permit ip host 159.X.X.3 host <SERVER>
access-list OutsideIn extended permit ip host 169.X.X.2 host <SERVER>
access-list OutsideIn extended permit ip host 169.X.X.3 host <SERVER>

access-group OutsideIn in interface outside

?

Thanks again for the granular amount of support you're providing me. I understand that you have a full time gig and I appreciate that you're still willing to take the time in guiding me.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39164404
np, glad to help out.  it always makes it better when the person you're helping out ACTUALLY wants to learn something too.  :)

everything looks good now.  also, just fyi, when you add or subtract from an object group it will automatically update the ACLs that use the changed object group
0
 
LVL 20

Author Comment

by:netcmh
ID: 39164457
Cool. So, my monthly countryipblocks.net checks will require me to add to the network-objects group and it automatically updates the traffic ACLS. Nice!

Thanks again Cyclops3590.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39166302
Cyclops3590: Sorry about this, but what about doing the opposite? Instead of allowing only from the US, what would need to change to deny traffic originating from 4 or 5 attacking countries?

Thanks
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39166327
roughly same thing, but easier.  create a network object group similar to what you did for the US IPs and then create a single ACE at the top of the ACL that denies from that object group.  after that there is no need to reference that object group

example

acl deny ip object-group BAD_COUNTRIES any
acl permit .....
acl permit ...
......

since the first ACE says to deny all ip packets with a source that matches anything defined in teh BAD_COUNTRIES object group, it would just stop evaluating the ACL at that point if a match was found.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39166362
Much simpler. Thank you again. No more questions.

The BAD_COUNTRIES IP blocks are a third of the size of the US IP blocks :)

For posterity, I would also suggest adding the BOGON networks. These are the networks that are not yet assigned by ARIN so you should never get any legitimate traffic from them -- at least, until they're assigned. Keep checking monthly.
0
 
LVL 20

Author Comment

by:netcmh
ID: 39171616
Have it running. No impact on CPU or memory. Configured it with a hit counter to see it in action.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39171673
cool.  good to know.  that is a better way to do it anyway as it stops the bad traffic faster instead of waiting for all ACEs to not match and then finally match the implicit rule. so if anything it should be less cpu taken up now.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now