Thứ Hai, 24 tháng 6, 2013

Cisco ASA: Security Level & Access Rule


Concepts relate to this LAB:
 By default, ASA automatically assigns “level security” parameter of 100 if user configures an interface name of “inside”, and it assigns security level of 0 if user configures an interface name of “outside”. User can manually assign security lever for an interface by command “security-level <level>”. Other ASA interfaces that connect to other areas of the network should receive a security level between 1 and 99. Security level must be unique.
Interfaces with a higher security level are considered to be more trusted than interface with a lower security level. Usually, interface name is assigned to “outside” if that interface faces a public and interface name is assigned to “inside” if that interface faces a local.
Cisco ASA bases on security level to determine that traffic is inbound connection or outbound connection.
It’s an inbound connection, if traffic is initiated from a lower security lever toward a higher security level. By default, an inbound connection is considered unsecure, so traffic from a lower-security interface to a higher one can’t pass unless additional explicit inspection and filtering checks are passed.
It’s an outbound connection, if traffic is initiated from a higher security level toward a lower security level. An outbound connection is considered secure and automatically being inspection, so traffic doesn’t require any access list for returning traffic.
Note that, ICMP traffic is stateless and no icmp inspection is enabled by default so that ICMP coming from a higher security level interface to a lower security level interface will be blocked. To permit ICMP traffic in this case, user can enable ICMP inspection globally or configure an inbound ACL.
Interfaces on ASA can be configured as a trunk link. However, ASA’s interface can’t auto negotiate Trunk through the Dynamic Trunking Protocol (DTP) as a Cisco switch.


LAB Security Level & Access Rule





Setup:
-       Connection between R1’s f0/0 and ASA’s e0/1 are configured in VLAN 101
-       Connection between R2’s f0/0 and ASA’s e0/0 are configured in VLAN 102
-       Connection between R4’s f0/0 and ASA’s e0/2 are configured in VLAN 104
-       R1’s Loopback0 ip address 1.1.1.1.1/24; f0/0.101 ip address 10.1.101.1/24
-       R2’s Loopback0 ip address 2.2.2.2/24; f0/0.102 ip address 10.1.102.1/24
-       R3’s Loopback0 ip address 4.4.4.4/24; f0/0.104 ip address 10.1.104.1/24
-       ASA’s e0/0.102 ip address 10.1.102.10/24; e0/1.101 ip address 10.1.101.10; e0/2.104 ip address 10.1.104.10/24

 Task:
E0/1.101: interface name is inside and ip address is 10.1.101.10/24
E0/0.102: interface name is outside and ip address is 10.1.102.10/24
E0/2.104: interface name is DMZ; ip address is 10.1.104.10; security-level is 50
R1, R2 & R4 point default route to ASA; ASA points default route to R2 and adds static route to networks’ interface loopback
Make sure ASA is configured to allow ping from inside to other networks and allow telnet, ssh from outside & DMZ to inside

On ASA, permits traffic telnet, ssh, 80 from 1.1.1.1 to R4’s networks; permits ip 1.1.1.1 with source range port 4000 – 5000 access to host 10.1.102.2 with FTP protocol; permits network inside access http, https, pop3, icmp echo.


R1's Configuration
R1#sh run
Building configuration...
service password-encryption
!
enable password 7 121A0C041104
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip domain name cisco.com
!
ip ssh authentication-retries 0
ip ssh version 1
!
username cisco password 7 13061E010803
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.101
 encapsulation dot1Q 101
 ip address 10.1.101.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.101.10
!
no ip http server
no ip http secure-server
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 privilege level 15
 logging synchronous
 login local
 transport input telnet ssh
!


R2's Configuration

R2#sh run
hostname R2
!
no aaa new-model
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.102
 encapsulation dot1Q 102
 ip address 10.1.102.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.102.10
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 privilege level 15
 no login
R2#


 R4's Configuration
R4#sh run
hostname R4
no aaa new-model
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.104
 encapsulation dot1Q 104
 ip address 10.1.104.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.104.10
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 privilege level 15
 no login
R4#
Cisco ASA's Configuration

ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0.102
 vlan 102
 nameif outside
 security-level 0
 ip address 10.1.102.10 255.255.255.0
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.101
 vlan 101
 nameif inside
 security-level 100
 ip address 10.1.101.10 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.104
 vlan 104
 nameif DMZ
 security-level 50
 ip address 10.1.104.10 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network Networkinside
  network-object 10.1.101.0 255.255.255.0
  network-object 1.1.1.0 255.255.255.0

object-group network r1lo
  network-object host 1.1.1.1

 object-group network E01-Subnet
  network-object 10.1.101.0 255.255.255.0

 object-group network R4
  network-object host 10.1.104.4
  network-object host 4.4.4.4

 object-group network F0-R2
  network-object host 10.1.102.2

 object-group service Inside-out
  service-object tcp eq www
  service-object tcp eq https
  service-object tcp eq pop3
  service-object icmp echo

 object-group service R4-Services tcp
  port-object eq telnet
  port-object eq ssh
  port-object eq www

 object-group service Telnet-SSH tcp
  port-object eq telnet
  port-object eq ssh

 object-group service FTP
  service-object tcp source range 4000 5000 eq ftp

 access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any object-group Networkinside object-group Telnet-SSH
access-list INSIDE extended permit tcp object-group r1lo object-group R4 object-group R4-Services
access-list INSIDE extended permit object-group FTP object-group r1lo object-group F0-R2
access-list INSIDE extended permit object-group Inside-out object-group E01-Subnet any

 pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500

 access-group outside_in in interface outside
access-group INSIDE in interface inside
access-group outside_in in interface DMZ

 route outside 0.0.0.0 0.0.0.0 10.1.102.2 1
route inside 1.1.1.0 255.255.255.0 10.1.101.1 1
route DMZ 4.4.4.0 255.255.255.0 10.1.104.4 1

 timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
telnet timeout 5
ssh timeout 5

 ---------------------------------------------------------------------------
R1#ping 2.2.2.2 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
If you can’t ping 2.2.2.2 from loopback 0, don’t worry. By default, ASA blocks traffic that is initiated from a lower security level to a higher security level, and it doesn't enable ICMP inspection globally as the other protocols such as telnet, http, ssh…etc.
This problem is resolved after I add some commands as follows:
Solution 1
ciscoasa(config)#access-list outside_in extended permit icmp any any echo-reply
ciscoasa(config)#access-group outside_in in interface outside
ciscoasa(config)#access-group outside_in in interface DMZ

Solution 2
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect icmp

This is a ping result after the problem is resolved.
R1#ping 2.2.2.2 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/72 ms

 ciscoasa# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/40 ms

 ciscoasa# ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/30 ms

 ciscoasa# ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/60 ms

 R3# telnet 1.1.1.1
Trying 1.1.1.1 ... Open
User Access Verification
Username: cisco
Password:
R1>
Note that, Telnet doesn’t need assigning an ACL to permit a returning traffic from a lower security level to a higher security level, because Telnet is enabled inspection feature by default. When a user in inside area access telnet to outside area, it’s passed by default because this traffic to be initiated from a higher security level. This session is kept in ASA’s connection table (stateful inspection) so it’s passed when ASA receive a returning traffic.

I think the most difficult in this LAB is how to minimum objects as possible and how many ACEs we can use.
By define object-group service FTP, we can reduce an object. Instead of we create 2 objects for source port and destination port.

 object-group network F0-R2
  network-object host 10.1.102.2

 object-group network r1lo
  network-object host 1.1.1.1

 object-group service FTP
 service-object tcp source range 4000 5000 eq ftp

 access-list INSIDE extended permit object-group FTP object-group r1lo object-group F0-R2

Rewriter: Vigorous.nguyen
Reference: 
Official Cert Guide CCNP Security  Firewall 642-617  from the library of roger b.pleuger
CCIE Security Vol 1 from www.micronicstraining.com

Labels:

Không có nhận xét nào:

Đăng nhận xét

Đăng ký: Đăng Nhận xét (Atom)