Routers and firewalls perform an important security function because access control lists (ACL) are typically configured on them. ACLs are ordered sets of rules that control the traffic that is permitted or denied to use a path through a router. These rules can operate at Layer 3, making these decisions on the basis of IP addresses, or at Layer 4,when only certain types of traffic are allowed. When this is done, the ACL typically references a port number of the service or application that is allowed or denied.
Access lists operate as a series of if/then statements: If a given condition is met, then a given action is taken. If the condition isn’t met, nothing happens, and the next statement is evaluated. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list causes the router/firewall to analyze every packet crossing that interface in the specified direction and to take the appropriate action.
Several categories of firewalls are available on the market today, and they vary in both price and functionality:
* Packet filtering firewalls simply check the characteristics of each packet against the firewall rules without any additional intelligence. Packet filtering firewall capabilities are typically found in routers and other network devices and are very rudimentary firewalls.
* Stateful inspection firewalls go beyond packet filters and maintain information about the state of each connection passing through the firewall. These are the most basic firewalls sold as stand-alone products.
* Next-generation firewalls (NGFWs) incorporate even more information into their decision-making process, including contextual information about users, applications, and business processes. They are the current state-of-the-art in network firewall protection and are quite expensive compared to stateful inspection devices.
* Web application firewalls (WAFs) are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting.
I've initially allowed ICMP or ping from "any" IP address on the Cisco ASA firewall "outside" interface towards the "inside" IP address of 192.168.1.0/24. The network traffic from higher security level (100) towards a lower security level (0) is allowed by default if there are no ACL applied on the "inside" interface.
ciscoasa# show run access-list
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable
ciscoasa# show run access-group
access-group OUTSIDE-IN in interface outside
ciscoasa# show nameif
Interface Name Security
GigabitEthernet0 outside 0
GigabitEthernet1 inside 100
R1#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/257/628 ms
R1#ping 192.168.1.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/392/620 ms
R1#telnet 192.168.1.50 80
Trying 192.168.1.50, 80 ...
% Connection timed out; remote host not responding
R1#telnet 192.168.1.50 3389
Trying 192.168.1.50, 3389 ...
% Connection timed out; remote host not responding
I need to configure the Cisco ASA firewall to allow network traffic from R1 (200.1.1.1) towards 192.168.1.50 using TCP port 80 (HTTP) and TCP port 3389 (RDP).
ciscoasa# configure terminal
ciscoasa(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ciscoasa(config)# access-list OUTSIDE-IN ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ciscoasa(config)# access-list OUTSIDE-IN extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ciscoasa(config)# access-list OUTSIDE-IN extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp ?
configure mode commands/options:
A.B.C.D Source IP address
any Abbreviation for source address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-user User object-group for source address
user User for source address [<domain_nickname>\]<user_name>
user-group User-group for source address
[<domain_nickname>\\]<user_group_name>
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host ?
configure mode commands/options:
A.B.C.D Source host IP address
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 ?
configure mode commands/options:
A.B.C.D Destination IP address
any Abbreviation for destination address and mask of 0.0.0.0
0.0.0.0
eq Port equal to operator
gt Port greater than operator
host Use this keyword to configure destination host
interface Use interface address as destination address
lt Port less than operator
neq Port not equal to operator
object Keyword to enter destination object name
object-group Optional service object-group name for source port or network
object-group for destination address
range Port range operator
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 ?
configure mode commands/options:
eq Port equal to operator
gt Port greater than operator
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
lt Port less than operator
neq Port not equal to operator
object-group Optional service object-group for destination port
range Port range operator
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nfs
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 80
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389
ciscoasa(config)# show run access-list
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable
access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq www
access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389
R1#telnet 192.168.1.50 80
Trying 192.168.1.50, 80 ... Open
^ZHTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 19 Mar 2018 06:07:54 GMT
Connection: close
Content-Length: 326
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>
[Connection to 192.168.1.50 closed by foreign host]
R1#telnet 192.168.1.50 3389
Trying 192.168.1.50, 3389 ... Open
You can issue a show access-list command on the Cisco ASA firewall to verify the ACL network traffic hit count.
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE-IN; 6 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit icmp any 192.168.1.0 255.255.255.0 echo (hitcnt=10) 0xa036473d
access-list OUTSIDE-IN line 2 extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded (hitcnt=0) 0x1b7b2c90
access-list OUTSIDE-IN line 3 extended permit icmp any 192.168.1.0 255.255.255.0 unreachable (hitcnt=0) 0x6ded0a34
access-list OUTSIDE-IN line 4 extended permit tcp host 200.1.1.1 host 192.168.1.50 eq www (hitcnt=1) 0x0f6be67a
access-list OUTSIDE-IN line 5 extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389 (hitcnt=2) 0x3c3ca9ab
Access lists operate as a series of if/then statements: If a given condition is met, then a given action is taken. If the condition isn’t met, nothing happens, and the next statement is evaluated. Once the lists are built, they can be applied to either inbound or outbound traffic on any interface. Applying an access list causes the router/firewall to analyze every packet crossing that interface in the specified direction and to take the appropriate action.
Several categories of firewalls are available on the market today, and they vary in both price and functionality:
* Packet filtering firewalls simply check the characteristics of each packet against the firewall rules without any additional intelligence. Packet filtering firewall capabilities are typically found in routers and other network devices and are very rudimentary firewalls.
* Stateful inspection firewalls go beyond packet filters and maintain information about the state of each connection passing through the firewall. These are the most basic firewalls sold as stand-alone products.
* Next-generation firewalls (NGFWs) incorporate even more information into their decision-making process, including contextual information about users, applications, and business processes. They are the current state-of-the-art in network firewall protection and are quite expensive compared to stateful inspection devices.
* Web application firewalls (WAFs) are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting.
I've initially allowed ICMP or ping from "any" IP address on the Cisco ASA firewall "outside" interface towards the "inside" IP address of 192.168.1.0/24. The network traffic from higher security level (100) towards a lower security level (0) is allowed by default if there are no ACL applied on the "inside" interface.
ciscoasa# show run access-list
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable
ciscoasa# show run access-group
access-group OUTSIDE-IN in interface outside
ciscoasa# show nameif
Interface Name Security
GigabitEthernet0 outside 0
GigabitEthernet1 inside 100
R1#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/257/628 ms
R1#ping 192.168.1.50
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.50, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/392/620 ms
R1#telnet 192.168.1.50 80
Trying 192.168.1.50, 80 ...
% Connection timed out; remote host not responding
R1#telnet 192.168.1.50 3389
Trying 192.168.1.50, 3389 ...
% Connection timed out; remote host not responding
I need to configure the Cisco ASA firewall to allow network traffic from R1 (200.1.1.1) towards 192.168.1.50 using TCP port 80 (HTTP) and TCP port 3389 (RDP).
ciscoasa# configure terminal
ciscoasa(config)# access-list ?
configure mode commands/options:
WORD < 241 char Access list identifier
alert-interval Specify the alert interval for generating syslog message
106001 which alerts that the system has reached a deny flow
maximum. If not specified, the default value is 300 sec
deny-flow-max Specify the maximum number of concurrent deny flows that can
be created. If not specified, the default value is 4096
ciscoasa(config)# access-list OUTSIDE-IN ?
configure mode commands/options:
deny Specify packets to reject
extended Configure access policy for IP traffic through the system
line Use this to specify line number at which ACE should be entered
permit Specify packets to forward
remark Specify a comment (remark) for the access-list after this keyword
rename rename an existing access-list
standard Use this to configure policy having destination host or network
only
webtype Use this to configure WebVPN related policy
ciscoasa(config)# access-list OUTSIDE-IN extended ?
configure mode commands/options:
deny Specify packets to reject
permit Specify packets to forward
ciscoasa(config)# access-list OUTSIDE-IN extended permit ?
configure mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
object Specify a service object after this keyword
object-group Specify a service or protocol object-group after this keyword
ospf
pcp
pim
pptp
snp
tcp
udp
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp ?
configure mode commands/options:
A.B.C.D Source IP address
any Abbreviation for source address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure source host
interface Use interface address as source address
object Keyword to enter source object name
object-group Network object-group for source address
object-group-user User object-group for source address
user User for source address [<domain_nickname>\]<user_name>
user-group User-group for source address
[<domain_nickname>\\]<user_group_name>
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host ?
configure mode commands/options:
A.B.C.D Source host IP address
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 ?
configure mode commands/options:
A.B.C.D Destination IP address
any Abbreviation for destination address and mask of 0.0.0.0
0.0.0.0
eq Port equal to operator
gt Port greater than operator
host Use this keyword to configure destination host
interface Use interface address as destination address
lt Port less than operator
neq Port not equal to operator
object Keyword to enter destination object name
object-group Optional service object-group name for source port or network
object-group for destination address
range Port range operator
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 ?
configure mode commands/options:
eq Port equal to operator
gt Port greater than operator
inactive Keyword for disabling an ACL element
log Keyword for enabling log option on this ACL element
lt Port less than operator
neq Port not equal to operator
object-group Optional service object-group for destination port
range Port range operator
time-range Keyword for attaching time-range option to this ACL element
<cr>
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq ?
configure mode commands/options:
<1-65535> Enter port number (1 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
kerberos
klogin
kshell
ldap
ldaps
login
lotusnotes
lpd
netbios-ssn
nfs
nntp
pcanywhere-data
pim-auto-rp
pop2
pop3
pptp
rsh
rtsp
sip
smtp
sqlnet
ssh
sunrpc
tacacs
talk
telnet
uucp
whois
www
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 80
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389
ciscoasa(config)# show run access-list
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 echo
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded
access-list OUTSIDE-IN extended permit icmp any 192.168.1.0 255.255.255.0 unreachable
access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq www
access-list OUTSIDE-IN extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389
R1#telnet 192.168.1.50 80
Trying 192.168.1.50, 80 ... Open
^ZHTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 19 Mar 2018 06:07:54 GMT
Connection: close
Content-Length: 326
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Verb</h2>
<hr><p>HTTP Error 400. The request verb is invalid.</p>
</BODY></HTML>
[Connection to 192.168.1.50 closed by foreign host]
R1#telnet 192.168.1.50 3389
Trying 192.168.1.50, 3389 ... Open
You can issue a show access-list command on the Cisco ASA firewall to verify the ACL network traffic hit count.
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE-IN; 6 elements; name hash: 0x9ccc1a31
access-list OUTSIDE-IN line 1 extended permit icmp any 192.168.1.0 255.255.255.0 echo (hitcnt=10) 0xa036473d
access-list OUTSIDE-IN line 2 extended permit icmp any 192.168.1.0 255.255.255.0 time-exceeded (hitcnt=0) 0x1b7b2c90
access-list OUTSIDE-IN line 3 extended permit icmp any 192.168.1.0 255.255.255.0 unreachable (hitcnt=0) 0x6ded0a34
access-list OUTSIDE-IN line 4 extended permit tcp host 200.1.1.1 host 192.168.1.50 eq www (hitcnt=1) 0x0f6be67a
access-list OUTSIDE-IN line 5 extended permit tcp host 200.1.1.1 host 192.168.1.50 eq 3389 (hitcnt=2) 0x3c3ca9ab
