| ASA behind a routerHI experts,
Just wondering if anyone has experienced same as i am doing currently.
I have an ASA that i put behind a router, the ASA doesn't NAT but traffic passes via it to get to the LAN. It has a default route pointing to the LAN interface of the router for internet connection. So more like it's just seating by and watching the traffic as well inspect them.
The funny stuff is that i have some acl's that i have created on the ASA, to permit some special traffic but funny enough i am not getting hit counts on the ACL's. See below some examples
access-list ***OUTSIDE***_access_in; 12 elements; name hash: 0x19c65742
access-list ***OUTSIDE***_access_in line 1 extended permit object-group DM_INLINE_PROTOCOL_1 any any 0x15a9feec
access-list ***OUTSIDE***_access_in line 1 extended permit ip any any (hitcnt=13100758) 0x08f835d0
access-list ***OUTSIDE***_access_in line 1 extended permit esp any any (hitcnt=0) 0xa667c7c2
access-list ***OUTSIDE***_access_in line 2 extended permit udp any any eq isakmp (hitcnt=0) 0xd5fa0626
access-list ***OUTSIDE***_access_in line 3 extended permit udp any any (hitcnt=0) 0x02eb084b
access-list ***OUTSIDE***_access_in line 4 extended permit ah any any (hitcnt=0) 0xbbdad6c7
access-list ***OUTSIDE***_access_in line 5 extended permit icmp any any traceroute (hitcnt=0) 0x78c75d57
access-list ***OUTSIDE***_access_in line 6 extended permit tcp any object-group SMB any 0x2ec4a14f
access-list ***OUTSIDE***_access_in line 6 extended permit tcp any eq 445 any (hitcnt=0) 0x5c9f51d2
access-list ***OUTSIDE***_access_in line 7 extended permit tcp any any eq citrix-ica (hitcnt=0) 0x89b2e0b6
access-list ***OUTSIDE***_access_in line 8 extended permit icmp any any echo-reply (hitcnt=0) 0xe3a73d39
access-list ***OUTSIDE***_access_in line 9 extended permit icmp any any unreachable (hitcnt=0) 0x5b986655
access-list ***OUTSIDE***_access_in line 10 extended permit icmp any any time-exceeded (hitcnt=0) 0x863aac3e
access-list ***OUTSIDE***_access_in line 11 extended permit icmp any any echo (hitcnt=0) 0xd1d2929d
access-list ***OUTSIDE***_access_in line 12 extended permit tcp any any eq 1433 (hitcnt=0) 0xe15f040d
..
But yet some of the services are working perfect without me getting hit counts on them and some are not. Like i have on the router configured s2s vpn then on the asa i opened ports for the VPN as seen, that is working flawlessly. I am having issues with the last acl opening port 1433 anyone on the VPN can't seem to get via it.
So please any one with Ideas why that's not working? Also i wouldn't mind an FAQ's configuring ASA behind a router.
Cheers
Ted |
|
 TomS_Git-r-donePremium,MVM
join:2002-07-19
London, UK
kudos:4 | I would say its most likely because of this rule:
access-list ***OUTSIDE***_access_in line 1 extended permit ip any any
Any IP packets coming in are hitting this rule and being permitted through first strike off the bat, which ends ACL processing for that packet, and thus you'll never reach any of the rules lower in the list unless it happens to be a non-IP packet.
If you only want certain ports/IP's open, then you need to remove that rule, or move it lower in the list if you want to record packet counts.
If you remove it, then any ports/IP's you havent explicitly allowed through will be blocked, and this may "break things."
If you move it lower in the list, likely you wont notice any difference, but you will start to see hits being counted against your other rules.
ACL processes in order, top to bottom, so you need to order it properly to get the desired outcome. :-) |
|
| reply to Teddzy
Try this FAQ entry.
Regards |
|
| @ Toms: Thanks for the insight to the problem, i guessed as much, that's where it lies. I wanted to sound the opinion of another pro in the game. I appreciate. But asking where by that permit ip any any is associated to an IPS module installed on the ASA passing traffic to the IPS module for inspection. I guess this is where it gets a bit complicated. One thing i think i'll do is to know the exact traffic i need to pass to the IPS model to inspect.
@ Hell, bro you are a life saver.....oh! Tom you are too  hehehe! the link is just what i needed to go via! Thanks a lot bro!
Guys thanks!!!
Ted |
|
| reply to Teddzy
Better if you can post your full config, minus passwords and other sensitive info, for review.
If you're trying to send data to the IPS, IIRC you don't do it via an ACL but a policy map.
You may want to check Cisco for config guides on how to do this, or supply the config and
we can take a look.
Regards |
|
| said by HELLFIRE:Better if you can post your full config, minus passwords and other sensitive info, for review.
If you're trying to send data to the IPS, IIRC you don't do it via an ACL but a policy map.
You may want to check Cisco for config guides on how to do this, or supply the config and
we can take a look.
Regards
Yup 
Though I must say that setting it up via ASDM is pretty bloody easy if he wants to go that route to configure his transparent setup. |
|
|
|
aryobaPremium,MVM
join:2002-08-22
kudos:3
1 edit | For some people that have always been working using CLI, using GUI confuse them a lot not to mention slow down the work
Here is why. First, PIX GUI was used to be unreliable. With today's ASA GUI (which is much reliable), you cannot really see every piece of configuration on the same display since you have to go through several menus to get an idea of how or why the ASA was configured such.
Second, to make changes on the ASA GUI you again may have to go through several menus (depending on what you are doing) not to mention the wait time of the ASA to save configuration changes. With CLI and proper planning, you can simply copy and paste your changes plus save the work that may only take 1 minute
On the other hand, auditors and some security people love GUI since they are showing nice color and display (which was one of the reason Checkpoint was popular then). Also you have write access through GUI even though you don't have write access through CLI 
I myself enjoy using GUI for those IDS/IPS management since it would be simple work in reviewing Signature Definitions and rules. Other than those I tend to use CLI as often as possible |
|
| Good points
I use CLI for IOS-based devices, but I never used PIX (GUI or CLI) so when I got my first ASA, I tried ASDM and found it worked quite well. Certainly a massive improvement over SDM and CCP for IOS, which are almost useless.
So I find myself using ASDM on the ASA's unless I need to use CLI for something.
Same with Juniper, I've never used their gear in the past, so when I got my SSG, I figured I'd tried the GUI and found it quite workable. So I haven't bothered to learn ScreenOS CLI, and with it becoming obsolete, I likely won't bother going forward either. |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | Be careful with Juniper GUI, since it may suffer the same problem with old PIX GUI which was unreliable. One of a coworker used GUI to make changes on some SRX firewall. The changes was about inserting/adding/moving permit rule. From the GUI perspective, the rule was in place. However when the traffic flow test was conducted, no traffic was flowing. When I had him log in using CLI, he found out that the change was not in place.
I myself never used Juniper GUI (either SRX, SSG, or even the old Netscreen). I always used JUNOS or ScreenOS CLI. So this Juniper GUI unreliability thing is kind of surprising |
|
| said by aryoba:Be careful with Juniper GUI, since it may suffer the same problem with old PIX GUI which was unreliable. One of a coworker used GUI to make changes on some SRX firewall. The changes was about inserting/adding/moving permit rule. From the GUI perspective, the rule was in place. However when the traffic flow test was conducted, no traffic was flowing. When I had him log in using CLI, he found out that the change was not in place.
I myself never used Juniper GUI (either SRX, SSG, or even the old Netscreen). I always used JUNOS or ScreenOS CLI. So this Juniper GUI unreliability thing is kind of surprising
Well, touch wood, I've had no issues with it so far, LOL |
|
| Hi guys,
Wow am i so happy to get the fit backs from you all. Well to quickly ans your question about IPS traffic passing. For now i just have the base config on the ASA. What i did was to put in the permit ip any any to send traffic to the IPS with the following command.
policy-map global_policy
class MR-IPS-TRAFFIC
class-map MR-IPS-TRAFFIC
access-list IPSTRAFFIC extended permit ip any any
..
That's what i was using to pass traffic through to the IPS, i greatly would appreciate your gesture on how to get the traffic to the IPS.
Still on the ASA issue, i mean super thanks to Aryoba for compiling the FAQ's
But i have a little twist to the ASA behind a Router doing VPN . See attached the topology i have working for me. Currently i have s2s VPN configured on the 2811 to a vendor hosting some service we make use of, now i am been asked to configure vpn on the 2911 make it the primary link to the same vendor while the 2811 is redundant link. The problem is that the 2911 doesn't have security license on it. It's just the base IOS 15 on it.
I have gone via the FAQ's seeing that i could use the option where by the router doesn't do nat but the ASA does. But in my case the 2911 does the nat, I pretty much guess i could tweak things.
But i just want to hear from you all what's your take on this. I'll oblige you further info if you are not clear about the diagram.
Thanks. |
|
| reply to Teddzy
Which version of ASA code are you running? You may want to look at here for a guide,
but off the top of my head, you're missing the section of commands that actually tell
the ASA to send the matched traffic to the ips, namely
ips inline | promiscuous ...
Try that and let us know how it goes.
Regards |
|
| Hey Hell,
Thanks for that, i actually omitted that while i sent you earlier config, i do have it inline anyways.
ips inline fail-open
As for my ASA, i'm using Adaptive Security Appliance Software Version 8.2(1).
I'm looking at upgrade it real soon to the 8.3 or 4, but i have to under study the difference in it, just so i don't get my fried and grilled using it :D ;) :p.
Good enough i have some 5505 that i'll try it out with first then progress to the 5510.
Thanks for taking time out to reply.
Cheers
Teddy |
|
| reply to Teddzy
Just to doublecheck, can you post the full config, minus any passwords or sensitive info?
Far as I know, that's all you need to tell the ASA to send traffic to the IPS sensor is
a class-map / policy-map config.
Regards |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | reply to Teddzy
said by Teddzy :Still on the ASA issue, i mean super thanks to Aryoba for compiling the FAQ's
You are welcome
said by Teddzy :But i have a little twist to the ASA behind a Router doing VPN . See attached the topology i have working for me. Currently i have s2s VPN configured on the 2811 to a vendor hosting some service we make use of, now i am been asked to configure vpn on the 2911 make it the primary link to the same vendor while the 2811 is redundant link. The problem is that the 2911 doesn't have security license on it. It's just the base IOS 15 on it.
I have gone via the FAQ's seeing that i could use the option where by the router doesn't do nat but the ASA does. But in my case the 2911 does the nat, I pretty much guess i could tweak things.
But i just want to hear from you all what's your take on this. I'll oblige you further info if you are not clear about the diagram.
Thanks.
It is a common setup to have a firewall such as ASA to do the IPSev VPN termination while the router sitting behind the ASA does GRE tunnel and/or internal routing. The following FAQ shows some choices and illustrations.
»Cisco Forum FAQ »Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations
It is also a common setup to only have NAT once which takes place at the Internet-facing equipment (in this case, your ASA). If for some reason the router sitting behind the firewall has to do NAT, then there will be a double-NAT situation.
Note that double-NAT situation still works with any application including IPSec VPN however make sure that you are aware that the ASA can only see the networks behind the router by their NAT-ed IP address instead of their "real" IP address. Another consideration point is to watch NAT table timeout on both ASA and router which should match in order to avoid connection disconnection or potential slowness. |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | reply to Teddzy
said by Teddzy :But i have a little twist to the ASA behind a Router doing VPN . See attached the topology i have working for me. Currently i have s2s VPN configured on the 2811 to a vendor hosting some service we make use of, now i am been asked to configure vpn on the 2911 make it the primary link to the same vendor while the 2811 is redundant link. The problem is that the 2911 doesn't have security license on it. It's just the base IOS 15 on it.
I can see that the network design will be messy (if it works at all) when you try to have the ASA terminating IPSec VPN unless you have dedicated BGP AS with your own Public IP addresses announced via eBGP to both ISP. When you have let's say Cable Internet on one ISP and T1 or DSL on another ISP, most likely the network design will not be stable.
If I had a choice to design the network, I would have some Layer-3 switch to decide routing between ISP 1 and 2. This Layer-3 switch sits behind the ASA. The 2811 router will connect directly to the Layer-3 switch while the 2911 router keep existing connection. The 2811 keeps its existing NAT and IPSec functionality while the ASA terminates the IPSec VPN going through 2911 and ISP 1 only. This statement assumes that the 2811 router has sufficient firewall functionality which the 2811 security license should warrant one. |
|
| Hello Aryoba,
Thanks for your reply, i have noted your design which makes sense enough. I will definitely put that into big consideration. The 2811 i should say has enough security futures. I might as well set it up for a Zone Based Firewall and allow everything we need to come through.
Thanks for the suggestion. Phew thanks a lot.
Teddy |
|
