Tags:


Notable Replies

  1. telnet is working fine and I actually found 2 ways to allow ping in ASA
    first one is ;

    class-map global_policy
    class-map icmp-class
     match default-inspection-traffic
    class-map icmp
     match any
    class-map inspection_default
    !
    !
    policy-map icmp_policy
     class icmp
      inspect icmp 
    !
    service-policy icmp_policy global
    

    and the second one is creating access list like this ;

    access-list ICMP extended permit icmp any any
    access-group ICMP interface global
    

    both do the same job .

  2. Hi Donald,

    In this example, I only used the routers so that I would have some devices to ping with/to. I also could have used computers but routers are easier since you can access them through the CLI and you don’t have to worry about firewalls blocking ICMP traffic.

    Sometimes, it can be useful to have a router in front of the ASA. As a firewall, the ASA does a great job at packet filtering / VPNs but it’s a poor router. If you want to use specific features (like policy based routing) then using a router in front of the ASA works very well. If you don’t need any router specific features, you might as well connect the ASA directly to your ISP.

    Rene

  3. Hi Rene,

    To allow the DMZ traffic would you need to put an ACL on the inside interface allowing DMZ traffic or on the Inside interface allowing DMZ source to come in? Or do you need to put ACLs on both interfaces?

    If DMZ is say 172.16.1.0/24 range and Inside is 192.168.1.0/24 range. Would you put ACL in DMZ interface allowing 172.16.1.0/24 access to 192.168.1.0/24 and then put the same ACL on inside as well?

  4. Hi,quick question regarding the service policy placement on the ASA, not including global because that’s pretty self explanatory. I created just a simple topology where the ASA was in the middle and has 2 routers on either side, the outside interface had a security level of 0 and inside 100, the outside interface is also blocking all traffic coming in. I implemented NAT on the ASA as well to change the inside network IP’s to the outside interface.

    My policy map inspects ICMP and i applied it to a service policy that was placed on the inside interface, i tested it and everything worked as it should. NAT worked and allowed the traffic back into the inside network, the outside router could not ping the outside ASA interface IP and any inside network addresses. So everything is fine there. The same was done for the outside interface and the same behaviour was present.

    My main question is then, how does the traffic get back through when the service policy is placed on the inside interface, when the class map matches ICMP then the inspection is applied on the policy map and the service policy is assigned to the inside interface, so the source IP would be the private IP of the host on the inside network, it then goes through NAT where NAT changes the source IP to the outside IP, when the return traffic comes back then it comes back with a destination address of the ASA outside IP but the dynamic ACL return traffic is for the destination address of the private IP, so how does it get through when there is no ACL for the traffic coming into the outside interface?

    This is different from assigning the service policy on the outside where the dynamic ACL is the outside IP as the destination which can then be allowed and then the NAT binding table can direct traffic along it’s merry way.

    Does anyone know the answer to this?

  5. Hi, Thanks From Post,
    i have Done Everything and Worked find, unfortunately my firewall Dose not Allow DNS resolution from outside interface to in inside
    should i apply another ACL or inspect DNS Traffic from outside to inside and VS ?
    ----------------------------------------------------------------------------------------------------------------------------

    ASA3/SRV-A(config)# packet-tracer input TO-OUT tcp 0.0.0.0 53 6.6.6.6  53
    
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   6.6.6.6         255.255.255.255 inside
    
    Result:
    input-interface: TO-OUT
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (sp-security-failed) Slowpath security checks failed
    
    **ASA3/SRV-A(config)# show run**
    : Saved
    :
    : Serial Number: 123456789AB
    : Hardware:   ASA5520, 512 MB RAM, CPU Pentium II 1000 MHz
    :
    ASA Version 9.1(5)16 <context>
    !
    hostname SRV-A
    domain-name mod.gov.af
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Ethernet0
     nameif inside
     security-level 100
     ip address 172.16.3.1 255.255.255.0
     hold-time eigrp 100 60
    !
    interface Ethernet2
     nameif TO-OUT
     security-level 0
     ip address 172.16.8.2 255.255.255.0
     hold-time eigrp 100 60
    !
    dns server-group DefaultDNS
     domain-name mod.gov.af
    access-list icmp extended permit icmp any any
    pager lines 24
    mtu inside 1500
    mtu TO-OUT 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group icmp in interface TO-OUT
    !
    router eigrp 100
     eigrp router-id 33.33.33.33
     network 172.16.3.0 255.255.255.0
     network 172.16.5.0 255.255.255.0
     network 172.16.8.0 255.255.255.0
    !
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    user-identity default-domain LOCAL
    no snmp-server location
    no snmp-server contact
    crypto ipsec security-association pmtu-aging infinite
    telnet timeout 5
    ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    no threat-detection statistics tcp-intercept
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
      message-length maximum server auto
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
    !
    service-policy global_policy global
    Cryptochecksum:bc0fd5f01c98ca935e7632181d832257
    : end

Continue the discussion forum.networklessons.com

25 more replies!

Participants