Tuesday, July 20, 2010

CCNA Security 25

Recall that I mentioned that ASA does Content Filtering. ACLs contain ACEs. An ACE stands for a Access Control Entry. ACEs are also called access rules in the ASA. ACLs are always checked before a translation is performed, so make sure that we always use the global outside address when we create ACEs.
By default, traffic from a lower to a higher interface would be denied. In some cases we might want HTTP traffic to come in to a web server in the DMZ. To allow this, we have to first create a static translation from OUTSIDE to DMZ. From here, we will create an ACL that permits HTTP traffic from OUTSIDE to the outside global address.

Suppose that our OUTSIDE interface has an IP of and we wish to perform SPAT for a web server in the DMZ with the IP of, we can first type:
static (DMZ,OUTSIDE) interface

Now we create an ACL and apply it to an access-group like this:
access-list PERMITHTTP extended permit tcp any host eq 80
access-list PERMITHTTP extended permit tcp any host eq 443
access-group PERMITHTTP in OUTSIDE

By default, there is no outbound ACL applied on any interface, so all traffic going out of an interface is permitted.

ASDM has a feature that allows you to visually analyze access-lists. The ASDM actually draws a topology diagram showing the direction and the action of the ACL. This can be enabled at the Configuration - Firewall - Access Rules by clicking on Diagram at the top panel.

By default, the ICMP inspection engine is disabled. Cisco recommends that the ICMP engine be enabled if you wish to permit ICMP traffic. ICMP can be allowed through either enabling the inspection engine from the inside interface, or applying an access-group to the outside interface permitting the ICMP protocol inbound.

The reason why we cannot ping outwards is not that ping is disabled by default, but ping INSPECTION is disabled. This does not mean that ping cannot go from a higher to lower security interface. In fact, the ping gets out freely! However, since it is not inspected, a return path is not put in the state table and therefore the return packet is blocked! (Or rather, the return traffic is not explicitly permitted).

This inspection engine is actually the same one used to statefully inspect everything else. To enable ICMP for the inspection engine, we would need to inspect ICMP through:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global

Now we have enabled a 1-way stateful ping. Test to see that a host from a higher security level interface can ping one from a lower security interface, but not the other way round.

When traffic is denied by an access-rule, you can enable logging to a syslog server. Suppose we have a logging server inside at To do this, we'll enable logging through:
logging enable
logging host INSIDE
logging trap informational

Next, we'll define an access-list that denies ICMP, for example. We will then specify to log the entry. To do this, we'll type:
access-list alert-interval 5
access-list DENYICMP extended deny icmp any any log interval 5
access-group DENYICMP in interface OUTSIDE

This will set it to log informational traps to The access-list denies will be grouped into traffic flows and will log every 5 seconds if there is a continuous flow. There will only be one log per flow, so you may have to ping from different devices to check the behavior.

Note that similar settings can be applied on IOS routers.

As previously mentioned, the ASA can do Content Filtering. From the ASDM, we can configure it at Configuration - Firewall - Filter Rules. We can add Java, ActiveX, HTTP, HTTPS and FTP rules. We can filter the source and destination IP of the filter, and the service used (HTTP, for example).

As an example, we want to filter Java and ActiveX over HTTP from anywhere. To do this, we'll type:
filter java 80
filter activex 80

In Content Filtering, can also do URL filtering at Configuration - Firewall - URL Filtering Servers. There are two types of filtering server types: Websense and Secure Computing SmartFilter. A URL filtering server must be added somewhere before it will work. Once we have a URL filtering server set up, which in this case is Websense at, we'll type:
filter http http
url-server (DMZ) vendor websense host

A demo version of Websense can be obtained here.

No comments :

Post a Comment