Controlling Thru Traffic c

using an ACL
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Overview
 Default Traffic Flow
 Firewall ACLs
 Configuration Commands c

 Lab Configuration
Default Traffic Flow
 High Security Level to Low Security Level
 By default, all traffic is allowed to flow from a High Security Interface towards a Low Security as long as the
routing information is in place.
 Although, all traffic is allowed to flow from High Security Level to Low Security Level, only TCP and UDP traffic
is inspected. c
 Inspection creates a return entry in the Connection Table on the Firewall. This allows the return traffic to come
back. This is known as Stateful Inspection. The name of the Interface is not case-sensitive.

 Low Security Level to High Security Level

 By default, all traffic is blocked from coming in from Low Security Interface towards a High Security Interface.
 If you want this traffic to work, you would need to create an explicit policy on the Low Interface to allow this
traffic.
 This is done by creating an ACL.
 When a packet hits a low security interface going towards a high security interface, it will check the connection
table first, if there is no entry in the connection table, it will check the ACL for a Permit, if there is no Permit in
the ACL, it will check the default behavior.
Default Traffic Flow Contd.
 Same Security Level Interfaces
 By default, any traffic going from an interface that has the same security level as
the destination interface, it will blocked.
 c
Even an explicit ACL will not help in allowing this traffic.
 A typical example of this type of setup is when you have 2 partner networks
connecting into your network but you don’t want them to traverse to each other
thru your firewall.
 You have an option to disable firewall between 2 interfaces with the same security
level by using the “Same-security-traffic permit inter interface” command.
 If you use the above command, it allows all traffic between 2 interfaces with the
same security level.
ASA Firewall ACL
 Firewall ACLs only control traffic going “THRU” the firewall. It does not
affect traffic destined to the Firewall Interfaces.
 Firewall ACLs are Extended ACLs by
c default.
 They are Named extended ACLs.
 The ACLs on the Routers use an inverse mask for matching
[ 0 = match ; 1 = ignore]

 The ACLs on the Firewalls use a normal mask for matching

[ 1 = match ; 0 = ignore]
Configuration Commands
 The Syntax for Creating the ACLs on the ASA is:
Access-list [NAME] [Action] [Protocol] [Source IP] [Dest. IP] [Port/Type]
- Name – Name/Identifier for the ACL
- Action – Permit / Deny
c
- Protocol – TCP / UDP / ICMP / ESP / GRE / OSPF / EIGRP etc.
- Source / Dest. IP – Source / Destination Host or Network Address.
- Port / Type – Application Port (80,23,25) or ICMP Packet Type (Echo, Echo-reply)
 The Syntax for Applying the ACLs on the ASA is:
Access-group [ACL Name] [Direction] Interface [Interface Name]
- ACL Name – Name of the ACL to be applied
- Direction – Inbound or Outbound from the perspective of the Interface
- Interface Name – Name of the Interface where the ACL is being Applied
Firewall ACL Examples:
Router ACL

Access-list 101 permit tcp 192.1.20.0 0.0.0.255 any eq 23

Access-list 101 permit icmp any 192.1.10.0 0.0.0.255 echo
! c
Interface E 0/0
ip access-group 101 in

Firewall ACL

Access-list OUTSIDE permit tcp 192.1.20.0 255.255.255.0 any eq 23

Access-list OUTSIDE permit icmp any 192.1.10.0 255.255.255.0 echo
!
Access-group OUTSIDE in interface Outside
Lab Configuration
10.2.2.0/24
R2 199.1.1.0/24
200.1.1.0/24

E0/0 (.2)

192.1.20.0/24 Outside
c
ASA FW G0/0 (.10)
R4 R3
192.168.4.0/24 DMZ-4 192.168.3.0/24 DMZ-3
E0/0 (.4) G0/3 (.10) G0/2 (.10) E0/0 (.3)

10.4.4.0/24 G0/1 (.10)

10.3.3.0/24

10.11.11.0/24 Inside

E0/0 (.1)

E0/1 (.1)
10.1.1.0/24
10.20.20.0/24
10.10.10.0/24 R1
Lab Configuration
 This lab builds on the Previous Lab (BGP)

 Allow the following traffic thru the Firewall:

c SSH & Ping the 10.11.11.0/24 network.
• R2 (192.1.20.2) should be able to Telnet,
• The 199.1.1.0/24 network should be able to access R3 (192.168.3.3) for Telnet
and ICMP.
• R3 and R4 should have full access to each other without using an ACL.

 Apply the ACL on the appropriate Interfaces.

Lab Configuration
ASA – OUTSIDE ACL
Access-list OUTSIDE permit tcp host 192.1.20.2 10.11.11.0 255.255.255.0 eq 22
Access-list OUTSIDE permit tcp host 192.1.20.2 10.11.11.0 255.255.255.0 eq 23
Access-list OUTSIDE permit icmp host 192.1.20.2 10.11.11.0 255.255.255.0 echo
c host 192.168.3.3 eq 23
Access-list OUTSIDE permit tcp 199.1.1.0 255.255.255.0
Access-list OUTSIDE permit icmp 199.1.1.0 255.255.255.0 host 192.168.3.3 echo
!
Access-group OUTSIDE in Interface Outside
ASA – DMZ-3 T0 DMZ-4 Access
Same-security-traffic permit inter-interface
Verifications:

• Verify the Access by using Ping and Telnet from Outside to the appropriate devices on
the DMZ and Inside.
• Also verify access between R3 & R4.
Whiteboard