|
0:00:15
|
Its Access Control List or ACLs, how the object groups
|
|
0:00:20
|
can be used for
|
|
0:00:23
|
management of the access list
|
|
0:00:26
|
and how this is going to be used as an exception
|
|
0:00:28
|
the access list uses an exception to the Modular Policy Framework inspection
|
|
0:00:36
|
Now, by default is we talked about before
|
|
0:00:38
|
the ASA is going to allow traffic from higher security level
|
|
0:00:42
|
to a lower security level
|
|
0:00:45
|
where the inside interface is at security level 100
|
|
0:00:48
|
the outside level is at security level 0
|
|
0:00:51
|
so we can go from inside to out
|
|
0:00:54
|
then we would go from outside to in
|
|
0:00:57
|
which is lower to higher
|
|
0:00:59
|
only if a state already exists
|
|
0:01:02
|
from the Modular Policy Framework inspection
|
|
0:01:06
|
Now, the potential problem with this
|
|
0:01:08
|
is that not all types of traffic
|
|
0:01:10
|
can actually be inspected by the Modular Policy Framework
|
|
0:01:15
|
and this is due to a limitations of the different applications that the inspection engine support
|
|
0:01:21
|
now in general
|
|
0:01:23
|
the potential issue with stateful firewalls
|
|
0:01:27
|
is that when traffic is moving from the inside network to the outside network
|
|
0:01:33
|
the firewall is usually going to expect the return traffic
|
|
0:01:37
|
to be an exact mere image
|
|
0:01:40
|
of the traffic that is leaving the network
|
|
0:01:43
|
now the way we could think of this
|
|
0:01:46
|
is how a normal standard
|
|
0:01:48
|
TCP application works
|
|
0:01:51
|
So, lets say for example that we have
|
|
0:01:52
|
some sort of stateful firewall
|
|
0:01:55
|
in the transit path from a TCP client
|
|
0:02:00
|
that is trying to send traffic to a TCP server
|
|
0:02:05
|
and lets assume that this is running the web service
|
|
0:02:08
|
So the web service is going run on regular port 80
|
|
0:02:12
|
Now the client address will, say, has an IP address A
|
|
0:02:16
|
the server has an IP address of B
|
|
0:02:21
|
of the first portion of the 3-way handshake
|
|
0:02:25
|
the traffic is going to from the client to the server
|
|
0:02:29
|
as it enters the firewall inside interface
|
|
0:02:33
|
and leaves on the firewall outside interface
|
|
0:02:37
|
specifically this packet
|
|
0:02:40
|
has an IP
|
|
0:02:43
|
source address of A
|
|
0:02:46
|
it has a destination of B
|
|
0:02:50
|
it has a source port
|
|
0:02:54
|
tha is a random number
|
|
0:02:57
|
and it has a destination port
|
|
0:02:59
|
that is port 80, which is the well known port
|
|
0:03:03
|
now specifically, in a handshake, this is a TCP send
|
|
0:03:09
|
Now, based on this packet, going from the inside to the outside
|
|
0:03:13
|
the firewall is going to make some assumptions about what the return traffic should look like
|
|
0:03:19
|
its going to assume that if this is a standard TCP application
|
|
0:03:23
|
that what used to be the source address
|
|
0:03:27
|
is now changed to the destination address
|
|
0:03:31
|
what used to be the source port is now changed to the destination port
|
|
0:03:38
|
what used to be the destination address is now the source address
|
|
0:03:41
|
what used to be destination port is now the source port
|
|
0:03:46
|
so this is what its looking for
|
|
0:03:49
|
in the second step of the handshake, this would be our
|
|
0:03:52
|
TCP syn and the acknowledgement
|
|
0:03:57
|
then from that point on
|
|
0:03:59
|
all the traffic going from the inside out is going to be similar to the first step
|
|
0:04:04
|
except is going to be syn its going to be push
|
|
0:04:07
|
and depending on the actual data transfer between the client and the server
|
|
0:04:12
|
but the firewall is going to know what the traffic flow should look like
|
|
0:04:15
|
because is knows the source port
|
|
0:04:17
|
the destination port, the source address, the destination address
|
|
0:04:21
|
and its going to know the TCP sequence numbers
|
|
0:04:23
|
based on the negotiation thats going through that
|
|
0:04:28
|
now where the firewall runs into trouble
|
|
0:04:31
|
is where the outbound traffic flow
|
|
0:04:34
|
is not the same as the inbound traffic flow
|
|
0:04:38
|
and this happens in non standard applications
|
|
0:04:42
|
which would be things like IP telephony
|
|
0:04:45
|
or FTP transfers
|
|
0:04:48
|
that are using either active or passive FTP
|
|
0:04:53
|
or things like a simple traceroute
|
|
0:04:56
|
now lets take FTP
|
|
0:04:58
|
as an examples cases
|
|
0:05:01
|
now if you look at what is the difference between
|
|
0:05:04
|
FTP active versus passive
|
|
0:05:07
|
there is actually two different ways
|
|
0:05:10
|
that the protocol can work
|
|
0:05:12
|
and what it controls is what other particular port numbers that are going to be used
|
|
0:05:17
|
and who is originating the session, whether its coming from clients or whether its coming from the server
|
|
0:05:23
|
now in this case we are looking at what is known as an active FTP session
|
|
0:05:28
|
So this is the default mode of protocol
|
|
0:05:31
|
FTP actually uses two different port numbers
|
|
0:05:34
|
it uses TCP 21
|
|
0:05:37
|
and it uses TCP 20
|
|
0:05:40
|
I know most people think about FTP, they just think about TCP 21
|
|
0:05:45
|
because thats the address that you connect to the server on
|
|
0:05:48
|
but the that address is used as the command channel
|
|
0:05:52
|
it is not used as the data channel
|
|
0:05:55
|
with the command channel as one were sending the actual commands
|
|
0:05:58
|
like list, get, put delete, etc
|
|
0:06:03
|
where the data channel, thats where the actual transfer happens
|
|
0:06:06
|
now you can see from the diagram here it says when the connection is actually drawn out
|
|
0:06:11
|
the first thing that happens is the client
|
|
0:06:14
|
sends the request to the server
|
|
0:06:16
|
now they are assuming here that the client is using the source port, a random port of 1026
|
|
0:06:22
|
goes to the server the destination is 21
|
|
0:06:26
|
now if there was a firewall in the middle here
|
|
0:06:29
|
the firewall would assume that now this
|
|
0:06:32
|
transmission is going to swap
|
|
0:06:33
|
that the source port, excuse me, the source address is the number
|
|
0:06:37
|
the source port becomes 21
|
|
0:06:41
|
the destination port is 1026, the destination address is the client
|
|
0:06:46
|
Hey, thats fine, thats what happens in step 2
|
|
0:06:49
|
So the client is telling the server, I want to receive some file
|
|
0:06:53
|
So its sending like the
|
|
0:06:55
|
the FTP retreive
|
|
0:06:59
|
now when the server actually gets this command
|
|
0:07:02
|
it has not send the actual
|
|
0:07:04
|
file over the same communication
|
|
0:07:07
|
it opens up a new channel
|
|
0:07:10
|
that is from port 20
|
|
0:07:14
|
going to a random high port on the client
|
|
0:07:18
|
the client then replies
|
|
0:07:20
|
where the client's traffic is going to port 20
|
|
0:07:23
|
its coming from this new random port
|
|
0:07:26
|
now this is where the firewall logic
|
|
0:07:28
|
falls apart, in step 3 and step 4 here
|
|
0:07:32
|
that the firewall was expecting
|
|
0:07:34
|
traffic to be going between the client and server
|
|
0:07:38
|
where the client is using destination port 21
|
|
0:07:40
|
and the server is using source port 21
|
|
0:07:44
|
but the now we have the second area, data channel is open using a different port number
|
|
0:07:48
|
the firewall didn't expect this
|
|
0:07:50
|
Hey, this is why when you look at the ASA specific implementation
|
|
0:07:55
|
and we look at the show run policy map
|
|
0:07:59
|
it needs to have a specific application level inspection for FTP
|
|
0:08:06
|
because it actually needs to look at the commands
|
|
0:08:09
|
to figure out what are the port numbers that are the server and clients actually negotiated
|
|
0:08:13
|
for this individual transmission
|
|
0:08:16
|
if we are going to support both active FTP and passive FTP
|
|
0:08:21
|
if we look at the next diagram they have on this page
|
|
0:08:25
|
for the passive FTP
|
|
0:08:29
|
when the data channel is open
|
|
0:08:32
|
its the client that is originating it in step no. 3
|
|
0:08:36
|
in the previous case with the active FTP it was the server originating the traffic from port 20
|
|
0:08:42
|
thats not whats happens here with the passive
|
|
0:08:45
|
Hey, this would be the FTP command PA as P for passive
|
|
0:08:51
|
and it tells them specifically what port
|
|
0:08:53
|
that the connection is going to be used on
|
|
0:08:57
|
so order to understand this
|
|
0:09:00
|
the firewall needs to have application level awareness
|
|
0:09:03
|
of what are the FTP commands
|
|
0:09:06
|
and what do they actually do
|
|
0:09:08
|
now we will get into more details of the Modular Policy Framework
|
|
0:09:12
|
we will look at specifically how this application inspection work
|
|
0:09:16
|
and how we can do things like
|
|
0:09:17
|
prevent people from deleting files from an FTP server
|
|
0:09:21
|
or may I don't want them to issue the CD command to change directory
|
|
0:09:26
|
basically any arbitrary command
|
|
0:09:29
|
that is part of the FTP application
|
|
0:09:31
|
we can match that and perform an action
|
|
0:09:34
|
because the ASA has a built in inspection engine for that individual application
|
|
0:09:40
|
now the problem then
|
|
0:09:43
|
is what happens when we have a non standard application
|
|
0:09:47
|
that the firewall does not have an inspection engine for
|
|
0:09:50
|
and this is generally where we need an access list
|
|
0:09:54
|
access list is going to be used as a manual exception
|
|
0:09:59
|
to traffic that cannot be inspected for some reason
|
|
0:10:02
|
and we will this later specially when we get into VPNs
|
|
0:10:06
|
there is cases where the firewall cannot actively inspect
|
|
0:10:10
|
different types of tunnels
|
|
0:10:12
|
and we need to manually allow this traffic through just based on accesss list logic
|
|
0:10:19
|
now the access list itself is going to be very similar to how IOS implements it
|
|
0:10:24
|
where we can match traffic based on the source address
|
|
0:10:27
|
the destination address
|
|
0:10:29
|
the IP protocol number
|
|
0:10:31
|
so for example, is it TCP, is it UDP, is it ESP, is it OSPF, is it EIGRP etc
|
|
0:10:40
|
the TCP and UDP ports
|
|
0:10:42
|
would be things like is it port 23 for telnet
|
|
0:10:45
|
is it port 25 for send mail
|
|
0:10:48
|
is it range of 1024 to 65535
|
|
0:10:55
|
hey, there is same type of logic we can do on IOS, we can do on the ASA
|
|
0:10:59
|
we can also match the ICMP type codes
|
|
0:11:02
|
which would be things like ICMP echo
|
|
0:11:05
|
echo reply, unreachable, time exceeded
|
|
0:11:09
|
mass reply, mass request, etc
|
|
0:11:13
|
another nice feature that we can match time ranges
|
|
0:11:17
|
if we are trying to do some time of day based security
|
|
0:11:20
|
or possibly any like time of day based Quality of Service
|
|
0:11:24
|
that may be during my normal work hours there is going to be different applications that I am filtering
|
|
0:11:29
|
that are different than after 5 o'clock during the week, that will allow the people to do, whatever they want
|
|
0:11:35
|
where with the time range we could specify
|
|
0:11:38
|
if it is this day of the week or its this time of the day
|
|
0:11:41
|
then the access list entry or the ace
|
|
0:11:46
|
if the access list entry is going to be active or not
|
|
0:11:49
|
then that controls whether its actually used in the access list or its skipped over in the access list
|
|
0:11:56
|
and also just like an IOS
|
|
0:11:59
|
the ASA's access lists are also going to end in an implicit deny
|
|
0:12:04
|
So regardless of whether we actually say deny at the end
|
|
0:12:08
|
its always going to deny everything that is not being matched
|
|
0:12:13
|
Now, typically for firewall, this would be the logic that you do want
|
|
0:12:17
|
you do wanted to be able to drop the traffic that you have not explicitly said that its okay to allow through
|
|
0:12:24
|
where lot of times on the router you would do the opposite logic
|
|
0:12:27
|
you might deny the stuff that you don't want and then permit everything else
|
|
0:12:32
|
but typically the firewalls logic is that it should failed closed
|
|
0:12:36
|
meaning that it is more restrictive of traffic
|
|
0:12:40
|
then it is open to traffic flows being allowed through
|
|
0:12:45
|
so this has the same logic as the
|
|
0:12:47
|
the inspection engine has, its gets all the way down to the bottom
|
|
0:12:50
|
in an inspection has not happened
|
|
0:12:53
|
than the traffic is not going to be allowed back through from the
|
|
0:12:56
|
the lower security interface
|
|
0:12:59
|
to the higher security interface, which is like our outside to inside
|
|
0:13:06
|
now likewise just like an IOS
|
|
0:13:09
|
access list on the ASA can be both standard and extended
|
|
0:13:13
|
where the standard ACLs are matching just on the source IP address
|
|
0:13:18
|
the extending access list can match on any of the other parameters
|
|
0:13:21
|
so things like the source, destination, the port number, the TCP
|
|
0:13:26
|
TCP ports, UDP ports, the ICMP type codes etc
|
|
0:13:31
|
Now one thing that is different
|
|
0:13:33
|
is that there is no change in the naming convention
|
|
0:13:37
|
between a standard access list and an extended access list in the ASA
|
|
0:13:43
|
so if I say access list 1 permit
|
|
0:13:47
|
I have the freedom to do it either as a standard list of as a extended list
|
|
0:13:52
|
where in the of IOS, there are specific numbers that are dedicated to standard ACLs
|
|
0:13:58
|
specific numbers that are dedicated to extended ACLs
|
|
0:14:01
|
then when we configured a named access list
|
|
0:14:04
|
we need to specify whether this is standard or extended
|
|
0:14:08
|
in the case of the ASA its automatically going to know
|
|
0:14:11
|
if you are not matching based on the IP protocol number
|
|
0:14:18
|
the list is automatically standard
|
|
0:14:21
|
now the IP protocol number
|
|
0:14:23
|
is when you are saying access list, the name, permit
|
|
0:14:27
|
then the keyword after that
|
|
0:14:29
|
so if I say permit TCP, I am saying look for the protocol number that is TCP
|
|
0:14:35
|
I say permit OSPF, I am saying look for protocol number 89
|
|
0:14:39
|
thats in the IP header, I say permit GRE, I am saying look for protocol number 47
|
|
0:14:46
|
now again this numbers you don't neccessarily need to memorize
|
|
0:14:50
|
because you will have access to a reference for them in the documentation
|
|
0:14:55
|
or if again if you go to the ASA configuration
|
|
0:15:00
|
so we go to products, security
|
|
0:15:05
|
firewall, appliance, 5500
|
|
0:15:09
|
configuration guides
|
|
0:15:12
|
8.0
|
|
0:15:15
|
then under reference
|
|
0:15:17
|
addresses protocols and ports
|
|
0:15:21
|
so I want the protocols and applications
|
|
0:15:23
|
so these numbers here
|
|
0:15:26
|
these values, if we look at like
|
|
0:15:28
|
51, 88, 50 etc
|
|
0:15:31
|
this value is the IP protocol number
|
|
0:15:34
|
that is in the IP header
|
|
0:15:37
|
So its tells the network layer
|
|
0:15:40
|
writes to the transport layer, tells the transport layer, what is the next the protocol that is going to come
|
|
0:15:45
|
So, if its protocol number one
|
|
0:15:48
|
then we now its some sort of ICMP back
|
|
0:15:53
|
Now you may see on
|
|
0:15:56
|
the router or the ASA that some these keywords
|
|
0:15:59
|
are going to be built in
|
|
0:16:01
|
to the context sensitive help
|
|
0:16:03
|
so for example if we were to go to global configure
|
|
0:16:06
|
on the ASA and say access list 1
|
|
0:16:10
|
permit ?[question mark]
|
|
0:16:14
|
we have the option to match
|
|
0:16:16
|
the protocol names
|
|
0:16:20
|
but it doesn't neccessarily tells us the actual numbers are
|
|
0:16:25
|
now we will see as we are going to some advanced examples later
|
|
0:16:28
|
I will show you some different
|
|
0:16:29
|
tricks that you can use to figure out, whats the actual
|
|
0:16:33
|
traffic flow thats going between the interfaces
|
|
0:16:36
|
but one quick way you can do this
|
|
0:16:39
|
if you need to know what is a specific
|
|
0:16:41
|
protocol number
|
|
0:16:43
|
is when you go to the routers command line
|
|
0:16:46
|
and configure an extended access list
|
|
0:16:50
|
so I will say access list 100 permit ?
|
|
0:16:54
|
just like the
|
|
0:16:57
|
just like the ASA, doesn't tell you what number is here
|
|
0:17:00
|
but if I were to say permit 1 any any
|
|
0:17:04
|
permit 2 any any
|
|
0:17:07
|
all the way down the line
|
|
0:17:09
|
So I could potentially, lets say, I would edit this in a notepad
|
|
0:17:13
|
and just ensure all numbers, 1 through 55
|
|
0:17:17
|
if we now look at the
|
|
0:17:20
|
show access list
|
|
0:17:22
|
or in this case do show access list
|
|
0:17:24
|
we can see the line number
|
|
0:17:27
|
corressponds now to the protocol number
|
|
0:17:30
|
where protocol number 1 is ICMP
|
|
0:17:34
|
protocol number 2 is IGMP
|
|
0:17:37
|
thats for multicast, the Internet group management protocol
|
|
0:17:41
|
protocol 4 is for an IP and IP tunnel
|
|
0:17:45
|
number 6 is TCP
|
|
0:17:48
|
these are the ones that don't have the well known keywords
|
|
0:17:51
|
these are allocated
|
|
0:17:53
|
but they are just non standard protocols that you won't usually use all of the time
|
|
0:17:59
|
so if you want to see the full list of them
|
|
0:18:02
|
its going to be located on the INA website
|
|
0:18:06
|
If we say IP protocol numbers
|
|
0:18:10
|
INA - The Internet Assign Numbers Authority, the are the ones in charge of actually doing this allocations
|
|
0:18:16
|
and there will be separate ones for IPv4 and IPv6
|
|
0:18:21
|
So like protocol number 3 is gateway to gateway
|
|
0:18:26
|
which is some legacy protocol
|
|
0:18:28
|
okay, TCP is number 6, thats going to be important
|
|
0:18:32
|
EGP
|
|
0:18:33
|
the Exterior Gateway Protocol
|
|
0:18:35
|
this the precursor to BGP
|
|
0:18:38
|
So lot of these .. these
|
|
0:18:40
|
the small numbers, lot of thee legacy protocols are not used anymore
|
|
0:18:50
|
we can see GRE as protocol number 47
|
|
0:18:53
|
So this is what you are actually matching when you use the access list syntax that says permit
|
|
0:18:59
|
and then the keyword permit GRE any any, permit rcp any any etc
|
|
0:19:03
|
but the key point here is that the ASA is automatically going to know
|
|
0:19:07
|
that if you use the protocol number in the match
|
|
0:19:11
|
you are automatically creating an extended ACL
|
|
0:19:15
|
you are not creating a standard ACL
|
|
0:19:18
|
because only extended ACLs can match the protocol numbers
|
|
0:19:22
|
standard ACL, the only thing you could do is match the address, the source address
|
|
0:19:27
|
Now one of the caveats of this
|
|
0:19:30
|
that you can not mix the two in the same list
|
|
0:19:33
|
so in general
|
|
0:19:35
|
there are not many applications on the ASA where you would want to use a standard Access List
|
|
0:19:41
|
for anything that is traffic filtering related
|
|
0:19:45
|
you should in general use an extended list
|
|
0:19:48
|
because with the extended list
|
|
0:19:50
|
that you want to match on source addresses, thats fine
|
|
0:19:53
|
the only thing you need to do is say 'any' as the destination
|
|
0:19:58
|
but if you start your ACL using a standard list
|
|
0:20:01
|
you cannot change it to extended
|
|
0:20:05
|
so the extended ACL can match anything the standard can plus more
|
|
0:20:11
|
now the other potential issue with this
|
|
0:20:13
|
is that unlikely IOS
|
|
0:20:16
|
we do not use wild card masks, we use subnet masks
|
|
0:20:22
|
so in the case of IOS
|
|
0:20:25
|
If I wanted to match traffic from a particular sect
|
|
0:20:28
|
lets say on router 1 we look at the show ip route connected
|
|
0:20:33
|
if I wanted to match traffic that is coming from
|
|
0:20:37
|
hosts on my fast ethernet 0/0
|
|
0:20:40
|
my access list
|
|
0:20:42
|
say access list 101
|
|
0:20:45
|
would say permit ip 200.0.111.0
|
|
0:20:50
|
0.0.0.255 going anywhere
|
|
0:20:55
|
so with the match
|
|
0:20:58
|
I am saying with the 0s, I need to check exactly
|
|
0:21:02
|
these three octects, the first one, the second one
|
|
0:21:07
|
and the third one, these three matches, they have to be exact
|
|
0:21:12
|
the fourth octet, the 255
|
|
0:21:14
|
means to ignore, what is match there
|
|
0:21:19
|
the problem is when you do this on the ASA
|
|
0:21:22
|
the logic would be the opposite
|
|
0:21:24
|
if I were to take the same exact syntax
|
|
0:21:27
|
and put it on ASA
|
|
0:21:32
|
it says thats not the correct match
|
|
0:21:35
|
because the subnet mask here
|
|
0:21:38
|
is used instead of the wild card mask
|
|
0:21:42
|
and again the same is true with the routing protocols, when are doing OSPF or EIGRP
|
|
0:21:48
|
instead of using wild card master musk the address
|
|
0:21:51
|
we need to use a subnet mask
|
|
0:21:54
|
Now, if you make the mistake, you are going to know, because if you look at the
|
|
0:21:58
|
the show run access list
|
|
0:22:01
|
you will be able to quickly see, if I were to say
|
|
0:22:06
|
lets say 0.0.0.0
|
|
0:22:09
|
so I wanted do an exact match
|
|
0:22:11
|
you will see sometimes the syntax or the parser is going to spit back this error
|
|
0:22:16
|
what this say, access-list 101 permit 0.0.0.0 0.0.0.0 any
|
|
0:22:27
|
permit ip
|
|
0:22:33
|
then we show run access-list
|
|
0:22:37
|
you can see this is the any any logic
|
|
0:22:40
|
this is the opposite of what the IOS is
|
|
0:22:43
|
if you were to say this on a IOS, this would say host
|
|
0:22:46
|
0.0.0.0
|
|
0:22:51
|
so just be aware that, watch out for that the
|
|
0:22:54
|
the wild card master used for IOS
|
|
0:22:56
|
and the subnet mask is used for
|
|
0:22:59
|
the , for the ASA
|
|
0:23:05
|
now the next feature that we have in the ASA
|
|
0:23:08
|
is whats known as an object grouping or an object group
|
|
0:23:11
|
and this is used to simplify the management of Access list
|
|
0:23:15
|
by gouping
|
|
0:23:16
|
portions of the logic that are similar
|
|
0:23:19
|
to gather in a more modular configuration
|
|
0:23:23
|
so for example, we could create an object group that says
|
|
0:23:25
|
I am going to match all of the addresses that are my public web servers or my public servers
|
|
0:23:31
|
so if I want to add new servers
|
|
0:23:34
|
the only thing I will need to do is put a new entry in the object group
|
|
0:23:39
|
which then in turn is going to replicate down to all of the access list that is referencing the object group
|
|
0:23:45
|
so its going to allow for more modular changes
|
|
0:23:48
|
because a change to the object group is going to effect all the access control entries
|
|
0:23:53
|
that are referencing that group
|
|
0:23:57
|
now its a pretty simple principle
|
|
0:24:00
|
when it actually see it in action
|
|
0:24:03
|
and there is four different ways that we can group the objects together
|
|
0:24:07
|
we can group them by protocol
|
|
0:24:10
|
which would be things like TCP, UDP, ESP
|
|
0:24:13
|
again this IP protocol number
|
|
0:24:17
|
we can match them by network addresses
|
|
0:24:20
|
which would be their IP address, their subnet address etc
|
|
0:24:24
|
we could match the service
|
|
0:24:27
|
which is going to be the TCP or UDP port numbers
|
|
0:24:30
|
and we can match the ICMP type code
|
|
0:24:33
|
which would be like the echo, echo reply
|
|
0:24:36
|
time exceeded etc
|
|
0:24:40
|
now the place that you would want to use this
|
|
0:24:43
|
is typically where you do have multiple hosts
|
|
0:24:47
|
that you are trying to allow multiple services to
|
|
0:24:51
|
and its going to make
|
|
0:24:54
|
applying changes to the access list much easier
|
|
0:24:58
|
when you group it together in a modular fashion
|
|
0:25:00
|
so for example here I have a bunch of ACL statements
|
|
0:25:04
|
that are saying, I am matching two different servers
|
|
0:25:07
|
okay, two different servers are 100, err..
|
|
0:25:11
|
10.0.0.100
|
|
0:25:14
|
and 10.0.0.101
|
|
0:25:17
|
I am trying to allow access to these different servers
|
|
0:25:20
|
and want the traffic to come from two
|
|
0:25:23
|
possible hops, from 200.0.0.1
|
|
0:25:26
|
and 200.0.0.2
|
|
0:25:28
|
I want them to be able to hit both servers
|
|
0:25:31
|
with separate protocols with web browsing
|
|
0:25:34
|
with SSL and with send mail with SMTP
|
|
0:25:38
|
now the problem is
|
|
0:25:40
|
lets say I want another host to be authorized
|
|
0:25:43
|
to reach this destination, lets say 200.0.0.3
|
|
0:25:47
|
means now I have to add an additional 6th access list entry
|
|
0:25:52
|
I will have to say permit 200.0.0.2
|
|
0:25:54
|
going to 10.0.0.100 at 80, at 443, at 25
|
|
0:25:59
|
and then again the same for the 101
|
|
0:26:02
|
likewise if I add in new server
|
|
0:26:04
|
say add .102
|
|
0:26:06
|
means I have rewrite the entire list to then account for that additional number
|
|
0:26:12
|
so the object groups are going to break this up
|
|
0:26:15
|
into the repeatitive groupings
|
|
0:26:17
|
where in this case, I have 3 different groupings that are reapeated
|
|
0:26:21
|
the sources of where the traffic is coming from
|
|
0:26:26
|
the destinations of where the the traffic is going to
|
|
0:26:29
|
and the particular port numbers
|
|
0:26:31
|
that the servers are being accessible by
|
|
0:26:34
|
So I am going to split this into three different groupings
|
|
0:26:37
|
First one is going to say what is the source of traffic
|
|
0:26:41
|
these are my outside hosts 200.0.0.1 and 200.0.0.2
|
|
0:26:47
|
I then have the inside servers I am trying to allow them to reach the 10.0.0.100 and 10.0.0.101
|
|
0:26:54
|
and the particular port numbers that they are going to use
|
|
0:26:58
|
now whats nice about the modularity of this configuration
|
|
0:27:02
|
is that the very last statement
|
|
0:27:04
|
access list 2 extended permit TCP object group
|
|
0:27:07
|
outside trusted host, means the source IP address
|
|
0:27:12
|
object group public inside servers
|
|
0:27:14
|
means the destination IP address
|
|
0:27:17
|
object-group PUBLIC_INSIDE_SERVER_PORTS means the destination port now
|
|
0:27:23
|
So the configuration of the actual access list
|
|
0:27:26
|
only has one configuration line, the very last line
|
|
0:27:30
|
when you look at the show access list
|
|
0:27:33
|
each of the accesses control entries or the ACEs, the A-C-E s
|
|
0:27:38
|
are going to expand
|
|
0:27:39
|
to all combination of the outside trusted hosts
|
|
0:27:43
|
the public inside servers and the public inside server ports
|
|
0:27:48
|
so lets look at the actual syntax applied here
|
|
0:27:54
|
lets go to ASA2
|
|
0:27:58
|
and will configure these groupings
|
|
0:28:01
|
so I have the object groupings for the sources
|
|
0:28:04
|
the object goupings for the destinations and for the ports
|
|
0:28:08
|
now the access list entry are only configure at once
|
|
0:28:13
|
if we look at the show run access list
|
|
0:28:15
|
we will see its just that one entry
|
|
0:28:19
|
however if we look at the show access-list
|
|
0:28:23
|
you will see that for list number 2
|
|
0:28:26
|
the object group is automatically expanded
|
|
0:28:29
|
to take into account, all the possible actions, all the possible variations
|
|
0:28:34
|
of those three object groups as though added together
|
|
0:28:39
|
so what this now means
|
|
0:28:40
|
is that if I have a new sender
|
|
0:28:42
|
that I want to add to the list
|
|
0:28:45
|
a new destination or a new port number
|
|
0:28:48
|
the only thing I need to do
|
|
0:28:49
|
is to change the object group
|
|
0:28:54
|
if I say, lets say I want a new port number
|
|
0:28:58
|
for these particular hosts
|
|
0:29:01
|
may be though, they are allowed to
|
|
0:29:05
|
they are allowed to use
|
|
0:29:09
|
or object is equal to
|
|
0:29:16
|
hop 3 and its equal to imap
|
|
0:29:21
|
so now not only are they using send mail they are also using get mail
|
|
0:29:25
|
if we look at the show run object group
|
|
0:29:30
|
the only thing thats changed my configuration is these two additional changes
|
|
0:29:35
|
but when we look at the result of this in the show access list
|
|
0:29:41
|
those additional ports of the pop3 and the imap
|
|
0:29:46
|
they are account for, for every combination of sources and destinations
|
|
0:29:51
|
so from the 201 to the 10100, from 201 to 10101
|
|
0:29:56
|
202, 10100, 202,10101
|
|
0:30:03
|
Now one thing it does not do though
|
|
0:30:05
|
is increase the limitation of number of
|
|
0:30:07
|
total access list entries you can have on the interface
|
|
0:30:12
|
which is going to be a limitation of the individual platform
|
|
0:30:16
|
so if you are doing this in production and you literally have
|
|
0:30:18
|
thousands and thousands of lines in the access list
|
|
0:30:21
|
then you got to need to look at the hardware release note and figure out
|
|
0:30:24
|
how many total entries can I actually have
|
|
0:30:28
|
but assuming that your access list are not just out of control or manageable
|
|
0:30:32
|
than lot of a time the acess list
|
|
0:30:34
|
of groupings with the object groups is going to
|
|
0:30:37
|
help us out as kind of a shortcut
|
|
0:30:41
|
Now there are some minor exceptions for when you cannot use this
|
|
0:30:46
|
and one case of the top of my head would be for
|
|
0:30:52
|
a proxy ACL for IPSec
|
|
0:31:02
|
where a proxy access list
|
|
0:31:04
|
in a LAN-to-LAN VPN config or a remote access VPN config
|
|
0:31:09
|
is going to be used to say what type of traffic is going to be directed towards the tunnel
|
|
0:31:15
|
so for whatever ?? limitation the object groups are not supported for that particular application
|
|
0:31:21
|
in general its only going to be used for what we are doing here
|
|
0:31:24
|
like if I were say
|
|
0:31:27
|
access list 2 in interface outside
|
|
0:31:33
|
or access group 2
|
|
0:31:35
|
in interface outside
|
|
0:31:38
|
so now it means that
|
|
0:31:41
|
these outside hosts are able to access these
|
|
0:31:44
|
particular inside ??
|
|
0:31:49
|
so for any other application if you are doing like
|
|
0:31:52
|
route filtering or pretty much any other time you are trying to match an access list
|
|
0:31:56
|
you should not use the object grouping
|
|
0:31:59
|
because you can't guarantee it a 100% support
|
|
0:32:03
|
okay, what I meant by the proxy ACL is the crypto access list, so when you say
|
|
0:32:09
|
match address under the crypto map
|
|
0:32:12
|
thats what the, thats called the proxy ACL
|
|
0:32:18
|
now as a side note here
|
|
0:32:21
|
for our
|
|
0:32:24
|
access list within the scope of the lab exam
|
|
0:32:28
|
now in the lab exam, they are most likely not going to be very explicit
|
|
0:32:33
|
as to what they want you to do, or not do
|
|
0:32:36
|
in order to accomplish a particular goal
|
|
0:32:39
|
so lets say for example we have a question
|
|
0:32:42
|
that says I want you to telnet into router1
|
|
0:32:46
|
use the user name brian with password cisco
|
|
0:32:49
|
and when the user logs in
|
|
0:32:51
|
talk the radius server to give them privilege level 15
|
|
0:32:54
|
and I want to do a counting to figure out when they start the process and when they stop the exact process
|
|
0:33:01
|
now what I not going to tell you in the particular question
|
|
0:33:05
|
is to say make sure to go to ASA2
|
|
0:33:09
|
and configure an access list entry
|
|
0:33:11
|
so that it allows traffic to go from router1 to the ACS server
|
|
0:33:15
|
then make sure that, that traffic is allowed to go back
|
|
0:33:19
|
so we will see in the lab exam
|
|
0:33:21
|
a lot of the requirements are going to be very implicit
|
|
0:33:25
|
that if the radius server is on the inside of ASA
|
|
0:33:30
|
and you are trying to configure a AAA client on the outside
|
|
0:33:34
|
then the only way to do it is to allow it with an access list entry
|
|
0:33:38
|
because we can not do an inspection from the outside in
|
|
0:33:42
|
we can only do inside out because we are going from higher security to lower security
|
|
0:33:49
|
so what I would recommend to do within the scope of the lab exam
|
|
0:33:52
|
is that you need to draw a diagram
|
|
0:33:55
|
and draw out a visualization of what the network flows are going to look like
|
|
0:34:01
|
so on any device that is doing any type of firewall filtering
|
|
0:34:05
|
whether its going to be the ASAs
|
|
0:34:07
|
obviously they are doing firewall filtering
|
|
0:34:09
|
or whether may be the routers doing
|
|
0:34:11
|
zone based policy firewall CBAC
|
|
0:34:14
|
or may be even like reflexive list, so dynamic ACLs
|
|
0:34:18
|
we want to make sure that you want to visualize
|
|
0:34:21
|
exactly where you need to allow the applications
|
|
0:34:24
|
may be we are getting network time
|
|
0:34:26
|
from the ACS server
|
|
0:34:29
|
so if I want, everyone on my network to be able to synchronize time
|
|
0:34:32
|
with ACS
|
|
0:34:35
|
means that in on the ouside interface
|
|
0:34:38
|
I would need to do what
|
|
0:34:43
|
if this is my NTP server
|
|
0:34:49
|
I would need to say
|
|
0:34:51
|
I need UDP
|
|
0:34:54
|
port 123
|
|
0:34:57
|
to go to whatever that host is
|
|
0:35:00
|
now there is a comment here about static NAT
|
|
0:35:04
|
that could also be a possibility
|
|
0:35:07
|
but the Network Address Translation is independent
|
|
0:35:11
|
of the traffic filtering process
|
|
0:35:14
|
so lets say if the ?? ASA2 is doing network translation
|
|
0:35:18
|
because this 10 network we know that is not publicly routable
|
|
0:35:20
|
lets it was translated to 200.0.122.100
|
|
0:35:27
|
Now what this then means
|
|
0:35:30
|
is that when the access list is applied
|
|
0:35:33
|
in on the outside interface
|
|
0:35:37
|
what address do I need to match
|
|
0:35:39
|
do I need to match my inside
|
|
0:35:44
|
local address
|
|
0:35:47
|
or do I need to match my inside
|
|
0:35:51
|
global address
|
|
0:35:57
|
now it really depends
|
|
0:35:59
|
it depends on what is the order I am trying to apply
|
|
0:36:02
|
the ACL in and the order that I am trying to apply the NAT processing
|
|
0:36:06
|
in the case of the static NAT translation, when we are going outside to in
|
|
0:36:13
|
on outside to in translation is going to hit the ACL process first
|
|
0:36:18
|
before it goes through the NAT translation
|
|
0:36:21
|
so this means that I will need to say that the traffic is going through
|
|
0:36:25
|
200.0.122.100 at UDP 123
|
|
0:36:31
|
not going to the 10.0.0.100 which is the actual real inside address
|
|
0:36:38
|
now this going to be different though if I was doing this
|
|
0:36:40
|
in on the DMZ
|
|
0:36:43
|
If it came in on the DMZ
|
|
0:36:46
|
I would be matching the inside local address
|
|
0:36:49
|
not the inside global address
|
|
0:36:51
|
so we will talk about that more tommorrow when we get to NAT on ASA
|
|
0:36:55
|
and then again we will get to NAT on the IOS
|
|
0:36:58
|
it can be fairly complex when you get into this
|
|
0:37:01
|
there is also a document I would recommend to look into
|
|
0:37:05
|
which is the NAT order of opertions
|
|
0:37:10
|
now this is specifically
|
|
0:37:13
|
for the IOS
|
|
0:37:14
|
I believe there is one for the ASA, I have to double check
|
|
0:37:18
|
tonight for that
|
|
0:37:20
|
but this tells you the difference, whether you are going from the inside network out
|
|
0:37:24
|
or the outside network in
|
|
0:37:27
|
you see that there is a different order of operations for things like
|
|
0:37:30
|
when we are checking the access list
|
|
0:37:33
|
does it happen before
|
|
0:37:34
|
the NAT process, or does it happen after the NAT process
|
|
0:37:38
|
really depends on the direction of the traffic flow
|
|
0:37:43
|
but what you can't do
|
|
0:37:46
|
to try to get around this
|
|
0:37:48
|
because you don't want to memorise that whole list, its not feasible to figure out
|
|
0:37:52
|
off the top of your head, what this order of this list is going to be
|
|
0:37:55
|
what you could simply do instead
|
|
0:37:58
|
is to use to login
|
|
0:38:01
|
on the access-list's entries of the ASA or the routers
|
|
0:38:05
|
to figure out what is actually being dropped
|
|
0:38:09
|
so at the end of the ACL
|
|
0:38:11
|
what I would recommend to do is to say deny ip any any log
|
|
0:38:17
|
then if you are logging traffic to the buffer
|
|
0:38:20
|
you can periodically look at the show log output
|
|
0:38:23
|
and see actually what is getting denied on that interface
|
|
0:38:29
|
so we will see when get into more details with the zone based policy firewall
|
|
0:38:34
|
of the routers
|
|
0:38:35
|
you can end up in this order of operations problem again when you are trying to apply an ACL on the interface
|
|
0:38:42
|
versus matching it inside of a class map and doing the pass action
|
|
0:38:48
|
with the zone based firewall
|
|
0:38:50
|
so in order to
|
|
0:38:52
|
to avoid those type of operations
|
|
0:38:55
|
ususally that the easiest thing to do is
|
|
0:38:57
|
is on to your class default
|
|
0:38:59
|
which is normally dropping traffic anyways
|
|
0:39:02
|
say, drop log
|
|
0:39:04
|
so you can see what is being dropped
|
|
0:39:07
|
so then if we forget
|
|
0:39:10
|
that in this specific scenario I was supposed to match the inside global address
|
|
0:39:16
|
not the inside local
|
|
0:39:17
|
the access-list log is quickly going to tell me that
|
|
0:39:20
|
that the entry is dropped as it is going to the 200 address
|
|
0:39:23
|
not as it is going to the 100 address
|
|
0:39:29
|
now we will keep point about this
|
|
0:39:32
|
is that this last portion of accesses login, this is only for the lab purposes
|
|
0:39:37
|
now you would not want to do this in production because why
|
|
0:39:44
|
what happens on an access control if you do the log statement at the end of it
|
|
0:39:51
|
it causes it to be process switched
|
|
0:39:54
|
and thats the reason you can see the log messages
|
|
0:39:57
|
so if you wanted to disable ?? for a particular protocol
|
|
0:40:02
|
you can do that by logging the particular protocol with an ACL
|
|
0:40:07
|
So even if you don't want to deny the traffic, you could just say permit in a log
|
|
0:40:11
|
and it ?? it down to the process switching process
|
|
0:40:15
|
what if you were doing zone based policy firewall in production
|
|
0:40:18
|
and ended in deny log
|
|
0:40:21
|
if means that all of the deny traffic is going to be process switched
|
|
0:40:25
|
and its very likely that your CPU is going to be
|
|
0:40:27
|
ah, too high of utilization
|
