Cisco CCIE Security 350-701- ASA ACLs – Object Groups Part 1

1. ASA ACls – Overview

Now the next thing we’ll talk about access control list. At this point of time I expect you to have some basic understanding of the ACL topic which is generally covered in the CCA and audio switching. So I’ll quickly walk through with the overview of the ACLs and then we’ll see what are the differences between the ASA ACLs and the ACLs in the ACL, ACLs in the ASA as well as in the routers. What are the similarities and what are the other dissimilarities? Probably will talk about that. Racil is a set of rules which will allow or deny the traffic which is moving through the router. Like if any traffic is moving through the router I can write an ACL to either to permit that particular traffic or to deny. So but the condition is the traffic must be moving through the router.

That’s the condition. So in simple words we can also say like it controls the flow of traffic between the interfaces from one network to another network. Like some of the basic examples like let’s say I want to deny the traffic. The user sitting on one dot network, this one dot network user should not be able to access something like two. One is my Http server. So we can define some rules and each entry is referred as access control entries and these entries are grouped together and referred as access Control list. Now when the traffic starts with the packet source address, destination address and protocol port numbers and everything inside the header it goes to the router and the router is going to forward to the firewall.

Let’s say you can assume this is my LAN and maybe this is my internet or maybe you can assume that this is my DMC network where you are hosting some servers and you want to restrict the user sitting in my land should not be able to access the Http server. So what we’ll do is we’ll go to the ASA or the router and we define the rules and once it hits that interface, maybe I’m applying on the inbound here or you can apply on the outbound direction angle. So when you apply on the inbound once it hits the interface it’s going to check the ACL entries and based on the entries it will either allow or deny. So in general any traffic hitting the interface, if there is ACL configured the ACL will decide what traffic has to be allowed or what traffic should not be allowed. And by default it works in the sequence order. So it will try to match the first statement.

If the first statement do not match try to match the second statement. If the second statement not match try to match the third statement. Like that it will go on. If no statement matches, like if I don’t say permit any, we call it as implicit deny where if nothing matches it’s going to automatically drop the traffic. The same thing here you can go with some other rules like denying the three dot users trying to access something like FTP server from the outside network or whatever it is. You can assume something like this interface is my LAN and this is my DMZ, where I’m hosting some servers. Maybe this is my outside network, the user is coming from the Internet. Now, rest of the traffic, if you’re not matching the above two statements, it will be automatically permitted because of the permit any statement.

So it will try to match the first statement. If it does not match in the second statement. If it does not match, try to make the third statement. And as for the third statement, any of the traffic should be permitted. So basically I expect you to know these concepts already based on the CC and routing switching, and also I expect you to know the configuration and verification on the Cisco Ibis routers because 90% or more than that, it’s still the same. The concept wise, there’s no much difference. The only difference is the way you configure in the ASA is going to be different. Now, similarities in the ACLs in the ASA firewall or on the iOS routers, it’s almost seemed like both. The ACLs are made up of one or more access control entries.

Each line is referred as Ace Access control Entries and they are grouped together and referred as Access Control List. And of course it works in a sequence order from top to bottom. It tried to match the first statement. If it matches the first statement, it will exit the ACL. It will not go and check the other statements. If nothing matches, it’s going to deny the traffic. In the last, we can also add some remarks for each and every ACL. Like you may want to tell that this ACL is doing so and so, some kind of description. And in both the ACLs, like normally we can apply one ACL per interface for direction, and both the ACLs can be enabled or disabled based on the time ranges.

So we can also define a time range where we can say that the denial FTP traffic should be denied only during the office hours from 09:00 A. m to 05:00 p. m. , maybe on during the weekdays, Monday to Fridays, something like that. We can associate the ACS with the time ranges and we can restrict or allow the traffic in a specific time range. Now, the difference is wise if you see the differences, there are just a very few differences. Like in the routers, if you want to match any specific network, let’s say I want to match 182 161 dot network, maybe you want to deny or permit whatever you write here. In the routers we generate wildcard mask. So Wildcard Mask will tell which portion it has to match and which portion it should ignore.

But in case of ASA Firewalls, we write submit mass, not the Wild Card mass. So in ASA firewalls we don’t use wild card mass, not in the sphere, not in the ACLs, nowhere. Exactly. So we use subnet mass instead of wild card mass. That is one difference. And in ASAP we can use only named ACLs, we cannot use numbered, but whereas in routers we can use named DCLs and named seals, that’s how we can use on the routers. But here it’s just named a seals and even if you write some number it will construct it as a name. Like if you just write 1234 it will just think as if it is a name. Defining the ACLs. And in routers by default, there is no security policies, which means in routers let’s say this is my router let’s say this is my router by default, any traffic coming on one interface will be automatically allowed on the other interface unless you deny the traffic by using some kind of ACLs.

Which means the traffic between the interfaces is by default allowed because the router to routing not actually security.But if you want to add some security we can configure some ACLs. But whereas ASA by default have some security policies because every interface will be configured with some security levels and based on the levels the traffic is allowed or denied. Like by default traffic from higher to lower is allowed, higher to lower is allowed and traffic from lower to higher is by default denied. So which means if you want to allow any user to permit some traffic maybe from zero to 100 or maybe zero to 50, you need to write an ACL to allow specifically any traffic which is by default denied.

And let’s say by default from 100 to zero traffic is permitted. By default, let’s say you want to deny some specific traffic, then we can write an ACL. So in simple there is a default security policies on the AC firewalls based on the signal level the numbers configured on the interface. Now, based on that, the traffic is by default either permitted or denied. So if you want to add some additional rules, we can use ACLs. Now one thing we need to understand once we apply the ACL on specific interface, now the control. Now the traffic flowing from this interface going through this interface will be controlled by the ACL. No more based on the security policies.

Like I already discussed, these things like verifying from 100 to zero. If you try to initiate a telenet connection from 100 to zero, by default, it’s allowed. So it works from router one to router two. But if you try to tell it from router two to router one, the tenant is not going to work because by default from zero to 100 traffic is not allowed. Now, this is a verification from router to router one. So by default traffic from higher to lower is permitted and lower to higher is by default denied and the traffic is automatically inspected. So which means if you are allowing the traffic from hundred to zero automatically, it will keep a state table and return.

2. ASA ACLS – Basic Example

Now in this video we’ll see a basic example on how to configure the ACL on the ASA firewalls. Like here, I got a basic setup where the router pre configured with some default routes. And then on the ASA firewall there is nothing configured after. So let me just quickly verify the basic setup. I do have this configuration done in the GNS three here and on the ASA. If I say show interface IP brief you can verify the basic interface configurations. So I’m using g one by g one and G two interface connecting on router one and router two. And also if I say show IP route I do have a default static load configured. So what I’ll do is I’ll try to configure some route on the ASA as well.

So what I’ll do is I’ll try to initiate some routing on my ASA where I’ll say route inside I’m going to write a route static route for ten one dot network which is on the router one land that is the loop back of the router one. The next stop is Ten 00:10 One and I’m going to write another route, maybe route outside for two two or two dot network just simply because we’ll try to initiate some traffic between the router one and two. So we need to make sure that the ASA must be able to route the traffic. Because what I’m trying to do here is I’ll by default the traffic from zero. So we have some default security levels configured here, zero on the outside interface and 100. And by default traffic from outside to inside is not allowed by default based on the default security levels.

But what I want is I want the users on the router to maybe some users you want to allow to talent. Like in my case, I’m going to write a rule saying that if the talent connection is coming from this host that is 100 00:22 and if it is going to this address ten 00:10 one, it should be permitted. I’m going to verify, as I said, with telnet traffic and I’m going to apply it on the interface. So let me just quickly configure this on the ASF firewall. So access list configuration is more similar to the routers. We start with access list and we have to give some name for the access list. So I’ll simply say out in the net some name and then we need to tell whether it is a standard or extended ACLs.

So generally if you don’t define default it’s extended. So I’m going to say permit because by default the traffic from out to in is denied. So I want to allow the user to permit. I can either say specifically any source, any destination, if you want to allow anyone to access telnet, but I’m going to specifically write down the protocol is TCP and then coming from host 100 00:22. This is from router two. If it is going to ten 00:10 one, that is router one and it is equal to ten. So I want to l and that’s it. By default all the remaining traffic is denied. So we don’t need to specifically mention that to deny the traffic and then we need to apply so to apply we don’t go to the interface so to apply we need to say access group. So in this scenario I want to apply the ACL on the inbound interface on the outside of this.

So the direction is inbound, on the outside interface, the name of the interface. So we say access group and then we had to tell the name of the ACL and then we had to tell the direction in or out. So it’s going to be in on interface outside. So once you configure this now we’ll try to go to router two and then we’ll try to verify. So I’ll try to initiate a telephone connection from router two to router one as per the ACL it should be allowed, you can see. But if I try to terminate the same thing with some other address like source, I’m going to say two two. So by default source interface we need to say I think there is a loop back zero interface on the router two. Let me see. So I’m trying to initiate a connection with the source address that is two two.

It’s not going to work and the reason is because the ACL is going to only allow from this source to this destination if I try to initiate from this source it’s not allowed by default. So let’s say you want to allow this two two also then we need to write another access list statement. So to verify we can say showdown access list command to verify the ACL configuration and then I can say access list extended permit and you want to permit the host, the TCP host two two and then going to host ten one equal to tenant. It’s already this ACL is applied so I don’t need to apply it again. And now if I try to initiate the traffic with the loop back it’s going to work. So it’s all about how you write the ACLs is the difference. Now this is how we configure the ACL.

So likewise if you want to deny any specific traffic from in to out, we can write some denial statements like maybe you want to deny some users should not be able to access some kind of server. So we can write some rules saying that denying, let’s say I want to deny ten dot network accessing some specific server on the internet, maybe 51 one equal to Http and then you can write all the denial statements and rest of the traffic you want to load. So we need to specifically say permit IP ne because any traffic which is going from land to the internet is by default load. So we can write some denial statements and we can say rest of the traffic should be permitted. Did.

3. Traffic Between Same Security Levels

The next thing we’ll see what is the default stigma level if the traffic is moving between the same levels? In general, like in the previous sections, we have seen like any traffic coming from higher to lower by default it’s permitted unless you write an ACL to deny and by default the traffic from lower to higher is not allowed by default. But what if I have two DMZ zone? Maybe I have some two DMZ zones where I’m going to place some servers and I’m going to configure the segment level of 50 50, the same. So what will be the default signal policy for the traffic which is moving between the same levels? Now the default is not allowed. So by default, interfaces on the same degree level cannot communicate with each other and the packets cannot enter either or exit on the same interface.

That’s a default security level security policy in general between the same level interfaces. But sometimes you may want to allow the traffic between these same levels. Maybe you got some kind of VPN traffic or maybe you got some two kind of DMZ and you want to allow these two DMZ to talk to each other at the same time.You don’t want some kind of higher, lower numbers. You still want them to use the same numbers and communicate with each other. Then we need to enable a command on the ASA like same signal traffic permit interface. Now, this command will ensures that the traffic between the same levels will be allowed by default. It’s not allowed.

So to allow, we need to configure this. So probably you may think like, okay, what if I write ACLs to allow the traffic between the same levels? Can I use ACLs to permit any specific traffic between the same level interfaces? ACL is not going to help you because I have documented one example. Like here what I’m trying is I’m trying to create an ACL to permit all the traffic between these two interfaces and then I’m applying on the inboard interface. It’s not going to work if you try to tell that it’s not going to work. Probably the only way you can allow the users of the same levels to talk to each other by doing this configuration, not with the ACLs.