Cisco ASA 5500 – Deny a Single IP Address External Access

KB ID 0000743 

Problem

This got asked on Experts Exchange today, the poster specifically asked for an ASDM solution, so here goes. However I will also do the commands as well.

Solution

Block an IP via ASDM

1. Connect to the ASDM > Configuration > Firewall > Add ‘Network Object’.

Note: You could create a Network Object Group, then add a Network Object to that group. This is handy if there are liable to be more IP addresses you want to block in the future. In that case you would then simply add the new Network Objects to the existing group.

2. Give the host a name, set its type to ‘Host’ > Enter the IP > The description is not mandatory.

3. Locate the rules that are applied to the inside interface (incoming), select the first one.

Note: I refer to these as ‘Outbound’ rules, they apply to traffic flowing IN through the INSIDE interface.

4. Add a new access rule > Set to Deny > Select the source as the host (or group) you have just created > OK.

5. Make sure your new rule is at the TOP > Click Apply.

6. Warning: Below your ‘deny’ rule you need to ‘allow’ the traffic that should be allowed, or all other traffic will get blocked.

7. Save the changes to memory > File > Save Running Configuration to Flash.

 

Block an IP via Command

Note: This assumes you do NOT have an outbound ACL (Issue a show acess-group command to find out), if you do it will say access-group {name} in interface inside, Simply replace the word outbound below for the name of yours and DONT issue the command that starts access-group.

[box]

User Access Verification

Password:
Type help or ‘?’ for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA# access-list line 1 outbound deny ip host 10.254.254.113 any
PetesASA# access-list line 2 outbound permit ip any any
PetesASA# access-group outbound in interface inside
PetesASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA 5500 Allowing Tracert

KB ID 0000753

Problem

I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there?

As it turns out Tracert does NOT NEED ICMP inspection, though there are a few tweaks you need to do to make it run correctly.

Solution

1. From a Windows client if I try and Tracert to an external IP address, this is what I would see.

2. My first task is to get the ASA itself to reply to me, unlike most network devices the ASA does not decrease the ‘hop count’ as traffic passes through it, to rectify this we need to make a small change to the global inspection policy like so;

[box]

Sent username "pix"
Type help or '?' for a list of available commands.
Petes-ASA>
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)# policy-map global_policy
Petes-ASA(config-pmap)# class class-default
Petes-ASA(config-pmap-c)# set connection decrement-ttl
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit
Petes-ASA(config)#

[/box]

3. Now when we re-run our Tracert we see the ASA now responds, nothing else does though, to rectify that we need to allow IN some ICMP traffic.

4. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA# show run access-group
 access-group inbound in interface outside
 access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

5. At this point you should know if you have an ACL, mines called inbound so I need to add two lines to it like so;

[box]

Petes-ASA(config)# access-list inbound extended permit icmp any any time-exceeded
 Petes-ASA(config)# access-list inbound extended permit icmp any any unreachable

[/box]

Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside

[/box]

6. Try your Tracert again.

7. Don’t forget to save the changes on the ASA.

[box]

 

Petes-ASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

Related Articles, References, Credits, or External Links

Cisco Firewalls and PING

Configure Your Firewall for SNMP

KB ID 0001034 

Problem

Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open.

Inbound Ports

Outbound Ports

Solution

As my ‘weapon of choice’ is a Cisco ASA, here’s how to set it up.

1. Connect to the firewall and proceed to global configuration mode.

[box] User Access Verification

Password:*******
Type help or ‘?’ for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. Assuming my inside interface is called ‘inside’ allow the traffic outbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

[box] Petes-ASA(config)# access-list outbound permit udp host 192.168.1.100 host 172.16.1.10 eq 161
Petes-ASA(config)# access-list outbound permit icmp host 192.168.1.100 host 172.16.1.10
Petes-ASA(config)# access-group outbound in interface inside [/box]

3. Assuming my outside interface is called ‘outside’ allow the traffic inbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

[box]Petes-ASA(config)# access-list inbound permit udp host 172.16.1.10 host 192.168.1.100 eq 161
Petes-ASA(config)# access-list inbound permit icmp host 172.16.1.10 host 192.168.1.100
Petes-ASA(config)# access-group inbound in interface outside [/box]

Note: Simply allowing ICMP will not permit ‘ping’ see the following article;

Cisco Firewalls and PING

4. Save the changes.

[box]Petes-ASA(config)# write memory
Building configuration…
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#[/box]

Also

You may want to open UDP 514 (syslog) from the device to the monitoring server, (assuming you have configured syslog on the monitored device). If the monitored device cannot communicate make sure it’s not using DNS to resolve the monitoring server (if so you may need to open UDP 53 to a DNS server).

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA – ‘access-group’ Warning

KB ID 0001035

Problem

I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future.

What is an Access-Group command?

You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I always apply access-groups in an interface to avoid confusion.

Example

[box]

Create an access list first

access-list outbound permit tcp host 192.168.1.1 any eq www

Then nothing will happen unless you apply that ACL to an interface with an 
access-group command.

access-group outbound in interface inside

[/box]

Solution

So Why The Access-Group Warning?

Reason 1

When I post articles and direct you to allow traffic though a firewall, I make the assumption that you do not have any ACL’s already applied with access-group commands. if you did, and followed my tutorials blindly then you would overwrite your access-groups, and any existing ACLs would stop working! (The ACL would still be there, you would need to reapply them though).

Reason 2

By default traffic will flow though the ASA from interfaces that have a higher (more secure) security level, to interfaces with a lower security level. Thats why you can get out though a new firewall without adding any rules. However every ACL has an implicit deny on the end of it. So if you have a mail server and allow out SMTP for example, as soon as you apply the ACL with your access-group command you STOP ALL OTHER OUTBOUND COMMUNICATION until that is allowed also.

So How Can You Make Sure I’m Not About to Break Anything?

Easy, your firewall will tell you if you have any access-groups already in use, with a ‘show run access-group‘ command. Below you can see theres three and what interface they are applied to.

[box]

User Access Verification

Password: ******** Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ******** PetesASA# show run access-group access-group inside-in in interface outside access-group outside-in in interface inside access-group DMZ-in in interface DMZ PetesASA#

[/box]

I’ve deliberately shown a naming convention I don’t usually use, I typically have an ACL called outbound for outgoing traffic, and inbound for incoming traffic. If your firewall has different named ACLs applied with access-group commands USE YOUR ACL NAME, NOT THE ONES IN MY ARTICLES!

I’ve followed Your Article and It Works But Everything Else Has Stopped Working!

OK remember (Reason 2) above, you need to allow the traffic out again. The simplest way to do that is with a permit ip any any command which is what you had originally*, (I prefer to only allow out what traffic needs to go out, but I’m a firewall nut!)

*Note: To avoid emails form the pedants, you actually had all protocols open, not just IP.

[box]

Assuming the last commands you issued looked something a little like..

access-list outbound permit tcp host 192.168.1.1 any eq www
access-group outbound in interface inside

Now that works, but everything else does not, you have fallen foul of the ‘implicit deny’, so allow out the traffic you want to allow out i.e.

access-list outbound permit ip any any

 

[/box]

 

Related Articles, References, Credits, or External Links

NA