Cisco ASA – Global Access Lists

KB ID 0001019

Problem

I’ve been working for a client that has a large firewall deployment, and they have twelve switches in their six DMZ’s. I wanted to take a backup of these switches (and all the other network devices).

While I was bemoaning the amount of ACL’s that I would need to allow TFTP in from, (note: that’s UDP port 69 if you are interested). My colleague said “Why not use a global ACL?”, On the rare occasions I’m in the ASDM I’ve seen the ‘global’ rule but never really paid it much attention. (Note: You need an OS of 8.3 or newer!)

Don’t panic! I’m not going to use the ASDM, (if you want to use it you can pretty much work out how to do it from the picture above).

What is a Global ACL?

This is an access list that will allow traffic inbound on all interfaces. There are a couple of caveats;

  • Interface specific ACL’s will take precedence over the global ACL (with the exception of the implicit deny at the end of the ACL).
  • With the above in mind, if there is a deny on an interface ACL, traffic will be blocked for that interface.
  • If you have manually added a deny ip any any to the end of an interface ACL (e.g. for logging purposes) then traffic allowed in the global ACL will fail for that interface.

So the firewall processes each interfaces ACL and just before the implicit deny, if then checks the global ACL, if the global ACL allows the traffic it is passed.

Solution

OK, I want to allow all my DMZ devices to be able to communicate with a the TFTP server on my management server in the LAN.

1. Log into the firewall and create and ACL as you would normally.

[box]

PetesASA> enable
Password: *********
PetesASA# configure terminal
PetesASA(config)# access-list ACL-Global extended permit udp any any eq 69

[/box]

2. Then instead of applying the ACL directionally to an interface, apply it globally.

[box]

PetesASA(config)# access-group ACL-Global global

[/box]

Thats it! Let’s test it by trying to backup a DMZ switch.

[box]

DMZ1-SW-1#copy running-config tftp
Address or name of remote host []? 192.168.10.10
Destination filename [DMZ-SW-1-confg]? DMZ-SW-1-Backup
!!
1130 bytes copied in 12.244 secs (92 bytes/sec)

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Policy NAT

KB ID 0001042

Problem

I’ve been working on a large firewall deployment for a client, each of their DMZ’s have both a production and a management network. nothing particularly strange about that, but each of their DMZ’s has its own firewalled management network and it’s routable from the LAN.

So If I’m an admin and I want to talk to a Linux appliance in their DMZ via its management interface, my traffic leaves the LAN through the management firewall, but the appliance sees my source IP as being on the LAN, and routes the traffic back to me via the clients production firewall.

Now the simplest way to fix it would be to put a static route on the appliance to route my traffic back via the management firewall, which is fine, BUT what if that appliance is the proxy server? Now I can administer it, but I cant get on the Internet!

Note: I’m NOT performing NAT anywhere in this scenario!

Solution

Well I could simply PAT the network my laptop is on, lets say its 172.16.1.0/16 to the DMZ interface of the management firewall.

[box]

object network Admin_PCs
 subnet 172.16.1.10 255.255.0.0
 nat (inside,dmz) dynamic interface[/box]

The problem with that is it will translate all traffic from my laptop’s subnet going into this DMZ and I might not want to do that.

Solution Pre ASA 8.3

We used to have a really simple way of solving this problem, ‘policy based nat’, you specify a set of conditions with an ACL then anything that meets that ACL is tied to a specific NAT rule.

[box]

access-list POLICY-NAT permit ip host 172.16.1.10 11.11.11.11 255.255.255.0
 !
 static (inside,outside) interface access-list POLICY-NAT[/box]

Solution Post 8.3

To do the same now the syntax is a little different. To demonstrate I have built a small lab in GNS3 to demonstrate. If I want the internal host to talk to the DMZ host, I want the traffic when it gets there to ‘appear’ to have come from 192.168.131.1

To demonstrate, if I ‘ping’ the DMZ router from the Host router, and Wireshark the traffic when it gets there, I see its coming from its actual IP address.

To NAT this traffic use the following commands;

[box]

 For a Single IP

object network obj-Host
 host 11.11.11.10 
 !
 object network obj-DMZ
 host 192.168.131.10
 nat (inside,DMZ) source static obj-Host interface destination static obj-DMZ obj-DMZ

For the Entire Subnet

object network obj-Host-LAN
 subnet 11.11.11.0 255.255.255.0
 !
 object network obj-DMZ-LAN
 host 192.168.131.10
 nat (inside,DMZ) source dynamic obj-Host-LAN interface destination static obj-DMZ obj-DMZ

[/box]

Now if we repeat the process, and ping the DMZ host.

Now when I capture the traffic, the source IP has changed accordingly.

Related Articles, References, Credits, or External Links

NA