Showing posts with label access-list. Show all posts
Showing posts with label access-list. Show all posts

08 May, 2015

Permit/deny Traffic between Security levels


! Check Security Level
ASA# show nameif
Interface                Name                     Security
GigabitEthernet0         ouside                     0
GigabitEthernet1         inside                   100
GigabitEthernet2         dmz                       50

 ASA# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0         ouside                 192.168.0.254   255.255.255.0   manual
GigabitEthernet1         inside                 10.0.0.254      255.255.255.0   manual
GigabitEthernet2         dmz                    20.0.0.254      255.255.255.0   manual

 ! Check Telnet Access From inside to outside and from inside to dmz.
R1#tel 192.168.0.3
Trying 192.168.0.3 ... Open          !  (Permited)
R3>exit

 R1#tel 20.0.0.2
Trying 20.0.0.2 ... Open             !  (Permited)
R2>exit

 ! ASA Logs
ASA(config)# logging on
%ASA-6-302013: Built outbound TCP connection 105 for ouside:192.168.0.3/23 (192.168.0.3/23) to inside:10.0.0.1/49351 (10.0.0.1/49351)
%ASA-6-302014: Teardown TCP connection 105 for ouside:192.168.0.3/23 to inside:10.0.0.1/49351 duration 0:00:15 bytes 77 TCP FINs
%ASA-6-302013: Built outbound TCP connection 106 for dmz:20.0.0.2/23 (20.0.0.2/23) to inside:10.0.0.1/56955 (10.0.0.1/56955)
%ASA-6-302014: Teardown TCP connection 106 for dmz:20.0.0.2/23 to inside:10.0.0.1/56955 duration 0:00:03 bytes 71 TCP FINs

 ! If We need deny trafic From Inside to DMZ, we have to configure Access-Lists
ASA(config)# access-list INSIDE_IN deny ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
ASA(config)# access-list INSIDE_IN permit ip any any
ASA(config)# access-group INSIDE_IN in interface inside

 ! Check Again Telnet Access From inside to outside and from inside to dmz.
R1#tel 192.168.0.3
Trying 192.168.0.3 ... Open          !  (Permited)
R3>exit

 R1#tel 20.0.0.2
Trying 20.0.0.2 ...                  !  (Droped)
% Connection refused by remote host

 ! ASA Logs
%ASA-6-302013: Built outbound TCP connection 107 for ouside:192.168.0.3/23 (192.168.0.3/23) to inside:10.0.0.1/62840 (10.0.0.1/62840)  ! (Permit trafic from inside to outside)
%ASA-6-302014: Teardown TCP connection 107 for ouside:192.168.0.3/23 to inside:10.0.0.1/62840 duration 0:00:05 bytes 71 TCP FINs       ! (Permit trafic from inside to outside)
%ASA-4-106023: Deny tcp src inside:10.0.0.1/34138 dst dmz:20.0.0.2/23 by access-group "INSIDE_IN" [0x71cd432c, 0x0]                    ! (Deny trafic from inside to dmz)

 ! Check this connection with Packet-tracer command
ASA(config)# packet-tracer input inside icmp 10.0.0.1 8 0 20.0.0.2
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   20.0.0.0        255.255.255.0   dmz
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP  
Config:
access-group INSIDE_IN in interface inside
access-list INSIDE_IN extended deny ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0      <---- Access-list INSIDE_IN 
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop                                                                              <---- DROP
Drop-reason: (acl-drop) Flow is denied by configured rule                                 <---- Reason

At
Tags:: , , ,

04 August, 2014

Unicast Reverse Path Forwarding (uRPF)

Dynamic Spoof Prevention Based on the Routing Table:

 Attack Scenario

 uRPF Modes:
- Strict  (rx)
- Loose   (any)

 Options:
- Allow self ping 
- Allow default route
- ACL
! Configure Lo Interface with fake Address
R2(config)#in lo 0
R2(config-if)#ip address 23.1.0.3 255.255.255.255

 ! Create Access-List
R1(config)#access-list 123 deny ip any any log-input
* Note : log-input  gives more information about each event

 ! Configure uRPF on Fas 0/0 , Use ACL
R1(config)#in fas 0/0
R1(config-if)#ip verify unicast source reachable-via rx allow-default 123

 * Note :
rx  = Strict 
any = Loose 

 ! Make ping to Test uRPF
R2#ping 10.1.0.26 source lo 0 repeat 10

 ! R1 generate some log massages 
*Aug  4 19:06:17.491: %SEC-6-IPACCESSLOGDP: list 123 denied icmp 23.1.0.3 (FastEthernet0/0 ca00.0a5c.001c) -> 10.1.0.26 (0/0), 1 packet
*Aug  4 19:11:52.119: %SEC-6-IPACCESSLOGDP: list 123 denied icmp 23.1.0.3 (FastEthernet0/0 ca00.0a5c.001c) -> 10.1.0.26 (0/0), 9 packets

 R1#show ip interface fastEthernet 0/0 | begin IP verify
  IP verify source reachable-via RX, allow default, ACL 123
  10 verification drops
  0 suppressed verification drops

At
Tags:: , , , ,

Access Control List

Access Control List

 The right tool for the right job.

 Vocab:
- ACL
- ACE
- VACL
- tACL (Transit)
- iACL (infrastructure)
- rACL (Receive)
! Anti-spoofing entries
R2(config)#access-list 110 deny ip host 55.44.33.195 any
R2(config)#access-list 110 deny ip host 55.44.33.200 any

 ! Deny special-use address sources
* Note:  Refer to RFC 3330 for more special use addresses [Link

 R2(config)#access-list 110 deny ip host 0.0.0.0 any
R2(config)#access-list 110 deny ip 127.0.0.0 0.255.255.255 any
R2(config)#access-list 110 deny ip 192.0.2.0 0.0.0.255 any
R2(config)#access-list 110 deny ip 224.0.0.0 31.255.255.255 any

 ! --- Filter RFC 1918 space as source
R2(config)#access-list 110 deny ip 10.0.0.0 0.255.255.255 any
R2(config)#access-list 110 deny ip 172.16.0.0 0.15.255.255 any
R2(config)#access-list 110 deny ip 192.166.0.0 0.0.255.255 any

Deny your space as source from entering your network
! Deploy only at the AS edge
R2(config)#access-list 110 deny ip 55.44.33.192 0.0.0.15 any

 ! Permit BGP
R2(config)#access-list 110 permit tcp host 12.23.34.45 host 55.44.33.195 eq bgp
R2(config)#access-list 110 permit tcp host 12.23.34.45 eq bgp host 55.44.33.195

 ! Deny access to internal infrastructure addresses
R2(config)#access-list 110 deny ip any host 55.44.33.195
R2(config)#access-list 110 deny ip any host 55.44.33.200

 ! Permit transit traffic
R2(config)#access-list 110 permit ip any any

 ! Verify Configuration

 R2(config)#do show access-list 110
Extended IP access list 110
    10 deny ip host 55.44.33.195 any
    20 deny ip host 55.44.33.200 any
    30 deny ip host 0.0.0.0 any
    40 deny ip 127.0.0.0 0.255.255.255 any
    50 deny ip 192.0.2.0 0.0.0.255 any
    60 deny ip 224.0.0.0 31.255.255.255 any
    70 deny ip 10.0.0.0 0.255.255.255 any
    80 deny ip 172.16.0.0 0.15.255.255 any
    90 deny ip 192.166.0.0 0.0.255.255 any
    100 deny ip 55.44.33.192 0.0.0.15 any
    110 permit tcp host 12.23.34.45 host 55.44.33.195 eq bgp
    120 permit tcp host 12.23.34.45 eq bgp host 55.44.33.195
    130 deny ip any host 55.44.33.195
    140 deny ip any host 55.44.33.200

    150 permit ip any any

 RFC 3330 : 
   Address Block             Present Use                       Reference
   ---------------------------------------------------------------------
   0.0.0.0/8            "This" Network                 [RFC1700, page 4]
   10.0.0.0/8           Private-Use Networks                   [RFC1918]
   14.0.0.0/8           Public-Data Networks         [RFC1700, page 181]
   24.0.0.0/8           Cable Television Networks                    
   39.0.0.0/8           Reserved but subject to allocation     [RFC1797]
   127.0.0.0/8          Loopback                       [RFC1700, page 5]
   128.0.0.0/16         Reserved but subject to allocation      
   169.254.0.0/16       Link Local                                   
   172.16.0.0/12        Private-Use Networks                   [RFC1918]
   191.255.0.0/16       Reserved but subject to allocation           
   192.0.0.0/24         Reserved but subject to allocation           
   192.0.2.0/24         Test-Net
   192.88.99.0/24       6to4 Relay Anycast                     [RFC3068]
   192.168.0.0/16       Private-Use Networks                   [RFC1918]
   198.18.0.0/15        Net Interconnect Device Benchmark Test [RFC2544]    
   223.255.255.0/24     Reserved but subject to allocation           
   224.0.0.0/4          Multicast                              [RFC3171]
   240.0.0.0/4          Reserved for Future Use        [RFC1700, page 4]
At
Tags:: , , , ,

17 July, 2014

How to filter Debug

* We have EIGRP Configured and need to debug ip packets

 R1#debug ip packet 
IP packet debugging is on

 *Mar  1 01:29:03.647: IP: s=10.1.146.1 (local), d=224.0.0.10 (FastEthernet0/0), len 60, sending broad/multicast
*Mar  1 01:29:04.155: IP: s=10.1.146.6 (FastEthernet0/0), d=224.0.0.10, len 60, rcvd 2
*Mar  1 01:29:04.755: IP: s=10.1.1.1 (local), d=224.0.0.10 (Loopback0), len 60, sending broad/multicast
*Mar  1 01:29:04.763: IP: s=10.1.1.1 (Loopback0), d=224.0.0.10, len 60, rcvd 2

 * When Debuging is on we see also Hello Packets of EIGRP. 

 # How to filter with Access-list this debug output.

 R1#conf terminal 
R1(config)#access-list 100 deny eigrp any any        
R1(config)#access-list 100 permit ip any any 
R1(config)#do un all 
All possible debugging has been turned off
R1(config)#exit     

 R1#debug ip packet ?
  <1-199>      Access list
  <1300-2699>  Access list (expanded range)
  detail       Print more debugging detail
  <cr>
  
R1#debug ip packet 100
IP packet debugging is on for access list 100

 R1#ping 10.1.2.2 repeat 1
Sending 1, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 44/44/44 ms

 *Mar  1 01:34:01.467: IP: tableid=0, s=10.1.13.1 (local), d=10.1.2.2 (Serial0/0), routed via FIB
*Mar  1 01:34:01.471: IP: s=10.1.13.1 (local), d=10.1.2.2 (Serial0/0), len 100, sending
*Mar  1 01:34:01.503: IP: tableid=0, s=10.1.2.2 (Serial0/0), d=10.1.13.1 (Serial0/0), routed via RIB
*Mar  1 01:34:01.507: IP: s=10.1.2.2 (Serial0/0), d=10.1.13.1 (Serial0/0), len 100, rcvd 3

 * Now you see everything, but not EIGRP packets on Debug output.
At
Tags:: , ,
Subscribe to: Posts (Atom)