View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0166 - ASA FirePower Object and Access Control (Part 1)

SEC0166 - ASA FirePower Object and Access Control (Part 1)

Rating: 
5
Average: 5 (4 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video takes you through the heart of Cisco ASA FirePower and FireSight system configuration which is Access Control Policy. We will go through the basic components of Access Control rules including Security Zone, Network Object, Port Object, and Geolocation as well as leveraging user identity obtained from the previous video to build rules based on our requirement scenarios. 
 
Part 1 of this video goes through various types of Object and Access Control Policy configuration
 
Topic:
  • Access Control Policy, Rules, and Category
  • Objects
    • Security Zone
    • Network, Network Group
    • Port, Port Group
    • Geolocation
  • Connection Logging
Tag: 
asa
firepower
sourcefire
ngfw
firesight
access control
policy
object

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

10 comments

Submitted by Eleven on Wed, 02/25/2015 - 07:46

Would the port based rules not make the classic ACLs on the underlying ASA somewhat redundant?

What would be best practise? Not use the ASA rules (permit any any) and do all filtering on the Firepower?

Submitted by admin on Thu, 02/26/2015 - 18:00

You are correct that you can accomplish L3/L4 filtering on the ASA but that config would only be local to the ASA as opposed to if you configure on Firesight, it will be applied to all the ASA but keep in mind that filtering at Firepower will cause it to see more traffic and hace impact on performance.

Submitted by rsykes on Wed, 02/03/2016 - 06:06

I'm new to Cisco FireSight/FirePower and struggling to gain access to an internal webserver over the internet. I've followed the procedures in the 2 Object & Access Control videos but not getting it to work. I have first configured the ASA Service Policy Rule so that ASA FirePower Inspection tab has "Enable ASA FirePower for this traffic flow" is enabled. Is it correct that once this is enabled on the ASA device I don't need to configure NAT on the ASA? Then, I've created a FirePower access control policy defining zone, network and port sources and destinations.

This is a small network and so has only one ASA/FirePower device with no need to install FireSight. All configuration is performed through ASDM. I am also unsure of where to go to troubleshoot this issue as I need to see where incoming packets are being dropped.

I appreciate any assistance you can offer to get this working.

Fantastic videos by the way!

Submitted by admin on Wed, 02/03/2016 - 21:10

ASA Firepower only does traffic inspection and has nothing to do with NAT. Inbound traffic still gets processed by the inbound ACL and NAT on the ASA before it is sent to Firepower. We would suggest removing Firepower from the traffic path and make sure you NAT, ACL, routing etc. are working correctly first and that you can access your public server from outside. Once done, you can start putting traffic through Firepower. Start with Access Control Policy that permit everything and make sure you can see the traffic stats. You can then starting fine tuning the policy including IPS policy etc. afterwards. 

Submitted by rsykes on Mon, 02/08/2016 - 18:40

Thanks for the reply which makes perfect sense. That said, having followed your advice I'm still no further forward. Can't help but think I'm missing something simple given the desired end result (forward TCP port 443 to internal web server) is pretty much routine. I'm hoping that you can get a better idea of my configuration and more importantly, where I'm going wrong from the config output:
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.22.191 255.255.255.0
!---------------
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Web_SRVR_Ext
host 192.168.4.7
object network Web_SRVR_Int
host 192.168.22.2
object service HTTPS
service tcp destination eq 4433
access-list outside_access_in_1 extended permit tcp any interface outside
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Web_SRVR_Int Web_SRVR_Int destination static Web_SRVR_Ext Web_SRVR_Ext no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in_1 in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.22.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:4da3792beb913206d738bd1b782af866
: end

Submitted by admin on Mon, 02/08/2016 - 22:20

What's the outside interface IP supposed to be? Is it 192.168.4.7 or something else?

Submitted by rsykes on Tue, 02/09/2016 - 04:50

Correct! It is 192.168.4.7 a private IP. The topology is: LAN-> Inside_ASA->Outside_ASA (private IP)->Inside_ISP Router (private IP)->Outside_ISP Router (public IP).

On another note, the ASA outside interface IP is set by DHCP. I really would prefer to set this manually, but whenever I do I can no longer get traffic to flow through to the ISP router as I cannot configure the ASA outside interface to see the ISP router as the next hop/default gateway.

Submitted by admin on Tue, 02/09/2016 - 22:56

Questions. 1. If you are trying to port forward TCP80/443 from public IP on the router to internal server, why are you not doing NAT on the router? Possibly the ISP owns the router? 2. Why do you need the router and not connect ASA directly to internet? 3. Do you get a block for public IP from the ISP other than what's on the outside interface of the router?

Normally to have an ASA behind a router, the subnet in between should be public and not private IP. You can then do either 1-to-1 NAT or static PAT on the ASA.

Submitted by rsykes on Wed, 02/10/2016 - 04:09

Answers. 1. I have configured NAT on the ISP router and tested this works correctly by removing the ASA from the configuration. 2. Support is non-existent from the ISP for setting up non-ISP equipment to connect to their internet service - hence, cannot connect directly using the ASA. 3. No, I have been assigned only a single static public IP address assigned to the outside interface of the ISP router.

Q 1. Am I facing an issue of double-NATing??? 2. Would my configuration work if I had a static public IP address on the outside interface of the ASA? 3. If I can assign a public IP address to the ASA outside interface this will be assigned statically according to the ISP setup. I see nowhere on the outside interface to configure the default gateway. 4. Gievn NATing is already taking place on the ISP router, I've tried testing access to https resource from the outside interface (192.168.4.x) configured with a private address using a host on the same subnet (192.168.4.0) thinking that all would be needed is an Access Rule to the internal https resource. This didn't work. Is is that the outside interface MUST have a public address?

Submitted by admin on Thu, 02/11/2016 - 23:08

Ok.. now that we know what your setup looks like, assuming you have no access to ISP router to setup static route etc.., you can't just route traffic through ASA so you probably have two options. 1. Configure a static 1-to-1 NAT using IP from 192.168.4.x that is NAT ASA outside IP  2. Configure static PAT (port-forwarding) to TCP80/443 of ASA outside IP, either way mapped to the server inside IP. Given the NAT is configured properly, you should have no problem with double NATing although it is not ideal.