Search This Blog

ACL _Object-network,Object-group, Object-services


The INSIDE (Gi0/1) interface of the ASA has a security level of 100, and the OUTSIDE interface has a security level of 0. The ASA doesn’t block traffic by default if it exists via an interface with lower security than the interface where it entered, e.g. INSIDE-> OUTSIDE, and it does block traffic by default in the other direction, e.g. OUTSIDE -> INSIDE.

To allow traffic through the ASA via Gi0/0, we will need to “punch a hole” in the firewall by configuring an access-list to specify the allowable traffic and apply it to Gi0/0.

Create a network object named INTERNAL which contains 192.168.137.0/24.
ASA#conf t
ASA(config)# object network INTERNAL=This is for VLAN 137 we just give it a name
ASA(config-network-object)# subset 192.168.137.0 255.255.255.0
ASA(config-network-object)# end
Network objects in the ASA OS are similar to defined constants in a programming language. You can change the object’s network assignment and the device will automatically use the new network value wherever the object is used in the configuration.

Configure a network object group named BRANCH which contains 172.16.137.0/24 172.17.137.0/24.
ASA#conf t
ASA(config)#object-group network BRANCH
ASA(config-network-object-group)#network-object 172.16.137.0 255.255.255.0
ASA(config-network-object-group)#network-object 172.17.137.0 255.255.255.0
ASA(config-network-object-group)# end
Show object-group network
ASAv# sh object-group network
object-group network BRANCH
network-object 172.16.137.0 255.255.255.0
network-object 172.17.137.0 255.255.255.0
The ASA OS permits you to configure object-groups (similar to arrays in a programming language) which contain one or more networks, protocols, services, etc. This can be convenient when you want to add a network that gets used multiple places in the configuration since you’d just need to add it to the object-group. The elements can be either specified networks or network objects.

Create a service object-group named VPN_SERVICES for HTTPS, WWW, and SSH destination traffic.


ASAv(config)# object-group service VPN_SERVICES
ASAv(config-service-object-group)# service-object tcp destination eq https
ASAv(config-service-object-group)# service-object tcp destination eq www
ASAv(config-service-object-group)# service-object tcp destination eq ssh
ASAv(config-service-object-group)# end
Configure an extended access list named VPN_ACCESS that allows IP traffic from the BRANCH object-group to the INTERNAL network and apply it to inbound traffic from the OUTSIDE interface (Gi0/0). note that we allowed traffic from outside we will have to apply to outside interface wich connect to the GATEWAY  The inside is connected to CORE router if you don't name this interface you will apply directly to the interface, we name is to make it easy to remember.
ASA# conf t
ASA(config)# access-list VPN_ACCESS_BRANCH_TO_HQ extended permit ip object-group BRANCH object INTERNAL
ASA(config)# access-group VPN_ACCESS_BRANCH_TO_HQ in interface OUTSIDE
ASA(config)# end
The fist object-group name BRANCH in a source address wich contains IP address from the BRANCH SIDE   and the object internal mean destination so we want the branch to have access to HQ
ASAv# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list VPN_ACCESS_BRANCH_TO_HQ; 2 elements; name hash: 0xf30cb549
access-list VPN_ACCESS line 1 extended permit ip object-group BRANCH object INTERNAL
(hitcnt=0) 0xf5f8b407
access-list VPN_ACCESS_BRANCH_TO_HQ line 1 extended permit ip 172.16.137.0 255.255.255.0
192.168.137.0 255.255.255.0 (hitcnt=0) 0x4d2e058d
access-list VPN_ACCESS line 1 extended permit ip 172.17.137.0 255.255.255.0
192.168.137.0 255.255.255.0 (hitcnt=0) 0x29aa1e44
ASAv# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list VPN_ACCESS_BRANCH_TO_HQ; 2 elements; name hash: 0xf30cb549
access-list VPN_ACCESS line 1 extended permit ip object-group BRANCH object INTERNAL
(hitcnt=0) 0xf5f8b407
access-list VPN_ACCESS_BRANCH_TO_HQ line 1 extended permit ip 172.16.137.0 255.255.255.0
192.168.137.0 255.255.255.0 (hitcnt=0) 0x4d2e058d
access-list VPN_ACCESS line 1 extended permit ip 172.17.137.0 255.255.255.0
192.168.137.0 255.255.255.0 (hitcnt=0) 0x29aa1e44
modify the VPN_ACCESS_BRANCH_HQ list to allow only the traffic in the VPN_SERVICES object-group.So will allow BRANCH TO HQ use only ssh and https , www, ssh
ASAv(config)# access-list VPN_ACCESS_BRANCH_TO_HQ line 1 extended permit object-group VPN_SERVICES object-group BRANCH object INTERNAL
ASAv(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list VPN_ACCESS; 8 elements; name hash: 0xf30cb549
access-list VPN_ACCESS line 1 extended permit object-group VPN_SERVICES object-group
BRANCH object INTERNAL (hitcnt=0) 0x6df72889
 access-list VPN_ACCESS line 1 extended permit tcp 172.16.137.0 255.255.255.0
192.168.137.0 255.255.255.0 eq https (hitcnt=0) 0xfddb3a14
access-list VPN_ACCESS line 1 extended permit tcp 172.17.137.0 255.255.255.0
192.168.137.0 255.255.255.0 eq https (hitcnt=0) 0xac37c0f5
access-list VPN_ACCESS line 1 extended permit tcp 172.16.137.0 255.255.255.0
192.168.137.0 255.255.255.0 eq www (hitcnt=0) 0x97aa9f87
 access-list VPN_ACCESS line 1 extended permit tcp 172.17.137.0 255.255.255.0
192.168.137.0 255.255.255.0 eq www (hitcnt=0) 0x3cb184a9
access-list VPN_ACCESS line 1 extended permit tcp 172.16.137.0 255.255.255.0
192.168.137.0 255.255.255.0 eq ssh (hitcnt=0) 0x254a2655
access-list VPN_ACCESS line 1 extended permit tcp 172.17.137.0 255.255.255.0
192.168.137.0 255.255.255.0 eq ssh (hitcnt=0) 0x5de4a624
access-list VPN_ACCESS line 2 extended permit ip object-group BRANCH object INTERNAL
(hitcnt=22) 0xf5f8b407
 access-list VPN_ACCESS line 2 extended permit ip 172.16.137.0 255.255.255.0
192.168.137.0 255.255.255.0 (hitcnt=12) 0x4d2e058d
access-list VPN_ACCESS line 2 extended permit ip 172.17.137.0 255.255.255.0
192.168.137.0 255.255.255.0 (hitcnt=10) 0x29aa1e44
Create a network object group named NO_GUESTS which contains the 192.168.99.0/24 and
10.137.137.0/24 networks along with the BRANCH object-group.
ASA# conf t
ASA(config)# object-group network NO_GUESTS
ASA(config-network-object-group)# network-object 192.168.99.0 255.255.255.0
ASA(config-network-object-group)# network-object 10.137.137.0 255.255.255.0
ASA(config-network-object-group)# group-object BRANCH
ASA(config-network-object-group)# end
Notice how we were able to re-use the BRANCH group. If we later had to add or change the branch office networks, we could just do that in the BRANCH group, and the NO_GUESTS group and VPN_ACCESS access-list would automatically adjust

Create an extended access-list named GUEST_RESTRICTION which denies all IP traffic from 192.168.42.0/24 to the NO_GUESTS networks, and permits traffic from and to all other IPv4 networks. Apply GUEST_RESTRICTION to inbound traffic to the INSIDE interface (GI0/1).
ASAv# conf t
ASAv(config)# access-list GUEST_RESTRICTION extended deny ip 192.168.42.0
255.255.255.0 object-group NO_GUESTS
ASAv(config)# access-list GUEST_RESTRICTION extended permit ip any4 any4
ASAv(config)# access-group GUEST_RESTRICTION in interface INSIDE
ASAv(config)# end



No comments: