Ready to Start Your Career?

CISCO ASA Firewall Commands Cheat Sheet [Part 4]

Motasem 's profile image

By: Motasem

May 24, 2016

colorful-network-cables-cybrary

CCNP Security Firewall

CISCO ASA Firewall Commands Cheat Sheet – Part 4

The sheet, and its previous parts, assumes you have the required knowledge of CCNA, CCNA Security, CCNP and it could be handy if you’re already enrolled in CCNP Security pathway.Let’s begin…

 

Examine real time connections through looking in the connection table

                Show conn

                Show conn detail

                Clear conn address    ip_addr

Note 1: The connection table displays information and details about the connections initiated by hosts in the internal network with the outside world.

Note 1.2: Every session established from internal hosts to public hosts is stated and written in the connection table. The incoming connection for the same session does not need to be permitted by an ACL to serve back the internal hosts.

Note 1.3: The third command is used to clear all the connections initiated by the specified IP address.

 

Configuring real scenario access lists for small network

ü Allowing internal clients or hosts to communicate and browser the internet

Access-list INSIDE line 1 extended permit tcp   src_ip  subnet_mask   any eq http

Access-list  INSIDE  line  2  extended  permit tcp  src_ip  subnet_mask  any eq smtp

Access-list  INSIDE  line  3  extended  permit tcp  src_ip  subnet_mask  any eq ftp

Access-list  INSIDE  line  4  extended  permit tcp  src_ip  subnet_mask  any eq sftp

ü  Allowing incoming connection to the web server on the DMZ

Access-list OUTSIDE line 1 extended permit tcp any host web_srv_addr  eq http

ü  Allow incoming connections to the smtp, ftp and sftp server for “in” and “out” direction

Access-list OUTSIDE  line 2 extended permit tcp any host smtp_srv_ip eq smtp

Access-list OUTSIDE  line 3 extended permit tcp any host ftp_srv_ip eq ftp

Access-list OUTSIDE  line 4 extended permit tcp any host sftp_srv_ip eq sftp

Access-list DMZ  line 1 extended permit tcp host smtp_srv_ip any eq smtp

Access-list DMZ  line 2 extended permit tcp host ftp_srv_ip any eq ftp

Access-list DMZ  line 3 extended permit tcp host tftp_srv_ip any eq tftp

Access-list DMZ  line 4 extended permit tcp host http_srv_ip any eq http

ü  Logging denied packets by stating explicit deny access list

Access-list OUTSIDE line 3 remark explicit deny all to change log message to 106100

Access-list OUTSIDE line 4 extended deny ip any any log 4 interval 300

ü  Allowing packets between same security level interfaces

Same-security-traffic permit inter-interface

ü  Applying access lists to the related interfaces

Access-group INSIDE in interface inside

Access-group OUTSIDE in interface outside

Access-group DMZ in interface DMZ

Note 2: The last section or last two commands are specified to log the denied packets with 106100 log message to be appeared in syslog server.

Note 2.1: We could disable any access list above by appending the word “inactive” to the end of the access list.

Configuring time range access lists or attach time range to access lists

            Time-range  temporary-FTP-access-workhours ( for employees )

            Periodic weekdays 09:00 to 06:00

            Time-range  ftp-hosting

            Absolute start 00:00:01 May 2015 end 00:00:01 May 2016

Note 3: Every access list needs a time range to be appended to it. A time range must be named and settled to related range.

 

Applying time ranges to existed access lists

Access-list OUTSIDE  line 3 extended permit tcp any host ftp_srv_ip eq ftp

Time-range  temporary-FTP-access-workhours

Access-list  INSIDE  line  5  extended  permit tcp  src_ip  subnet_mask  host ftp_srv  eq ftp

Time-range  temporary-FTP-access-workhours

 

Note 4: The time range for limiting access to the FTP server beyond the working hours was applied to the access lists that permit connection from outside and from the internal clients to the FTP server. They are only given access remotely or locally during working hours.

 

Verifying access lists configuration

            Show access-list OUTSIDE

            Show access-list INSIDE

            Show access-list DMZ

 

Configuring network- object groups and service-object groups for enterprise access list implementation

            Name 10.0.10.0 Internal-clients

            Name 10.0.30.0 DMZ-servers

            Name 10.0.40.0 LA-Internal-clients

            Name 10.0.50.0 LA-DMZ servers

            Object-group network US-Offices    

                        Network-object  10.0.10.0  255.0.255.0

Network-object  10.0.30.0  255.0.255.0

Network-object  10.0.40.0  255.0.255.0

Network-object  10.0.50.0  255.0.255.0

            Object-group network internal-clients-offices

                        Network-object  10.0.10.0  255.0.255.0

Network-object  10.0.40.0  255.0.255.0

            Object-group network DMZ-offices

Network-object  10.0.30.0  255.0.255.0

Network-object  10.0.50.0  255.0.255.0

            Object-group service Allowed-services-ext-clients-DMZ

            Description external services allowed for inside clients an DMZ servers

            Port-object eq ftp

            Port-object eq stp

            Port-object eq http

            Port-object eq smtp

            Port-object eq pop3

Access-list INSIDE line 1 extended permit tcp  object-group US-Offices any object-group Allowed-services-ext-clients-DMZ

Access-list DMZ line 1 extended permit tcp  object-group US-Offices any object-group Allowed-services-ext-clients-DMZ

Access-list INSIDE line 2 extended permit tcp object-group internal-clients-offices     object-group   DMZ-offices  eq ftp

Time-range  temporary-FTP-access-workhours

Access-list DMZ line 2 extended permit tcp object-group   DMZ-offices   object-group internal-clients-offices     eq any

Access-list OUTSIDE line 1 extended permit tcp any object-group   DMZ-offices    object-group Allowed-services-ext-clients-DMZ

Note 6: The specified ACLs are to provide full connectivity to the DMZ server and internal client server using object groups for network and services.

 

Configure protection against spoofed ip packets towards the ASA

                IP verify reverse-path interface outside

Note 7:Tthe specified command enables the unicast reverse path forwarding feature that, if it’s enabled on specific interface, it will examine every incoming connection whether exists in the connection table or not. If not, it will extract the source IP address to determine whether it’s reachable or not based on the ASA’s routing table.

Note 7.1: Do not enable this feature on the outside interface in case a default route exists on your network architecture to avoid the process overhead.

Block packets from specific ip address using a feature called “shunning”

                Shun malicious_ip_addr

 

Thanks! Please post your comments below.

Schedule Demo