What Services I Need To Allow On Asa To Have Acess To Internet

Our goal as a Network Security Engineer is to be able to provide security of communication and restrict access from insecure networks. Eastward.yard. Internet. We use Firewall very unremarkably to restrict unwanted communication betwixt various individual networks and public networks. East.g. If we are hosting a Web Server in our environment, we await simply http or https traffic for information technology, so we only permit port fourscore and 443 access from the Internet to our Private network (specifically to that Web Server) on Firewall. Today we will be discussing the default behavior of a very well-known Cisco Firewall i.due east. ASA for traffic To the Firewall and Through the Firewall.

Topology

In order to understand and talk over the scenarios for traffic To and Through the Cisco ASA Firewall, let'southward refer to the beneath mention topology for better understanding.

In the above topology, there are ii routers connected to Cisco ASA Firewall with point-to-point connectivity. ASA is configured as a Routed Firewall with Inside and Outside Zone. Nosotros know that by default Cisco ASA uses 100 security levels for the Inside interface and 0 security levels for any other interface with a name other than Inside.

To the ASA Firewall

Task-ane

What if I ping from R1 to ASA Firewall Within interface (11.1.1.1)? Will it ping?

Answer- Yep, it will ping as information technology is a betoken-indicate link.

Task-2

What if I ping from R2 to ASA Firewall Exterior interface (12.1.1.i)? Will information technology ping?

Answer- Yes, it will ping as it is a signal-point link.

Chore-3

Now, Let's suppose we have configured telnet on Cisco ASA Firewall so that R1 and R2 can telnet the ASA Firewall. What if I telnet from R1 to ASA Firewall inside interface (11.i.ane.1)? Will I be able to take telnet from R1?

Respond- Yes, every bit R1 is reachable to ASA Firewall Inside Interface and ASA is enabled for Telnet.

Task-four

What if I telnet from R2 to ASA Firewall Exterior interface (12.ane.one.one)? Will I be able to accept telnet from R2?

Respond- Interestingly NO, Telnet is clear text traffic. By default, ASA just allows telnet to ASA firewall from security level 100. ASA does not let telnet from whatever interface other than 100 security level.

Task-5

Now, Let's suppose we accept configured SSH on Cisco ASA Firewall so that R1 and R2 tin SSH the ASA Firewall. What if I SSH from R1 to ASA Firewall inside interface (eleven.1.1.1)? Volition I be able to have SSH from R1?

Answer- Yes, equally R1 is reachable to ASA Firewall Within Interface and ASA is enabled for SSH.

Task-half-dozen

What if I SSH from R2 to ASA Firewall Exterior interface (12.ane.1.1)? Volition I be able to accept SSH from R2?

Respond- Interestingly Yeah, Telnet didn't work but SSH worked because SSH traffic is secure/encrypted. By default, ASA Firewall allows SSH traffic from whatever interface as long as ASA is configured correctly.

Through the ASA Firewall

Task-1

Now, Let's suppose nosotros have configured Telnet on R1 and R2 so that we tin can telnet R1 and R2 from 1 another. What if I telnet from R1 to R2 (12.1.1.x)? Will I be able to take Telnet from R1?

Answer- Yes, because the traffic from Higher Security Level to Lower Security Level is immune in ASA Firewall by default. Also, ASA is a Stateful Firewall and then the return traffic from R2 to R1 will also be allowed considering of the active connection in the connection table.

Chore-two

What if I telnet from R2 to R1 (11.one.1.10)? Will I be able to take Telnet from R2?

Answer- No, considering the traffic is not allowed past default from Lower to Higher Security level in ASA Firewall. If we want traffic to exist allowed from Lower to Higher Security levels, nosotros demand to configure an access listing to explicitly permit traffic from Outside to Within.

Note:- Even though if we do SSH the effect will be the same as the in a higher place 2 tasks. When traffic is supposed to pass through Firewall, By default ASA doesn't care whether information technology is encrypted traffic or evidently text

Task-iii

What if I ping from R1 to R2 (12.ane.1.10)? Will I exist able to ping R2 from R1?

Answer- Interestingly NO, No matter what, the traffic is from College to Lower Security Level, Ping does non work by default in ASA Firewall. The reason is that ICMP inspection is not enabled by default in ASA, information technology needs to be explicitly enabled then only ping works.

Task-four

Now, Permit's suppose nosotros enable ICMP inspection in the ASA firewall. What if I ping from R2 to R1 (xi.1.1.10)? Will I be able to ping R1 from R2?

Answer- No, even though we enable ICMP inspection in ASA Firewall, Lower to College security level is not allowed by default. Access-List is required on the Outside Interface of ASA to permit ICMP traffic.

Are y'all Planning to Deploy Cisco ASA Firewall for your Environment?

If you are planning for a Light-green-field Deployment, Tech Refresh, Migration from your legacy Firewall or whatsoever Firewall to Cisco ASA, or for implementing avant-garde features in your already deployed ASA Firewall. You tin can always achieve out to us, the team at Zindagi Technologies consists of experts in the field of Network Security, Data Center technologies, Enterprise & Service Provider Networks, Virtualization, Private Deject, Public Cloud, Data Center Networks (LAN and SAN), Collaboration, Wireless, Surveillance, Openstack, ACI, storage and security technologies with over a xx years of combined manufacture feel in planning, designing, implementing and optimizing complex Network Security and VPN deployments. We will exist glad to help yous. You can give the states a call at +919773973971 or you can also drop u.s.a. an e-mail.

Author
Harpreet Singh Batra
Consulting Engineer- Information Center and Network Security

Post Views: 331