Deployment Scenarios Using ACLs

Traffic filtering is the core functionality of any network or personal firewall. However, Cisco ASA integrates this core functionality with the novel features to provide a scalable packet identification and filtering mechanism that can be used in almost any environment. Although ACLs can be deployed in many different ways, this section covers the following two design scenarios for ease of understanding:

  • Using ACLs to filter inbound and outbound traffic
  • Enabling content filtering using Websense

Note

These design scenarios are discussed here to reinforce learning and thus they should be used for reference only.

 

Using ACLs to Filter Inbound and Outbound Traffic

SecureMe hosts three web servers, two e-mail servers, and a DNS server at its Chicago office. All of these servers are located on the DMZ network 209.165.201.0/27, as shown in Figure 5-8. SecureMe also provides connectivity to the Internet for its inside trusted users. However, the inside hosts are allowed to access only Web Server1 and DNS server on the DMZ network.

Figure 5-8. SecureMe ASA in Chicago Using ACLs

Table 5-10 lists all the servers and their corresponding IP addresses.

Table 5-10. Server Address Assignments

Server

IP Address

Web Server1

209.165.201.10

Web Server2

209.165.201.11

Web Server3

209.165.201.12

Email Server1

209.165.201.20

Email Server2

209.165.201.21

DNS

209.165.201.30

To achieve these requirements, the administrator has configured an inbound ACL, called outside_in, with two object groups. The first network object group, DMZ_Web_Servers, groups all the HTTP servers. The second network group, DMZ_Email_Servers, groups both e-mail servers. Both network groups are bound to the ACL to allow the HTTP and SMTP traffic only. All other traffic gets denied and logged by the security appliance. This ACL is applied on the outside interface in the inbound direction.

To limit the inside traffic to the DMZ network, the administrator has configured another ACL, called DMZ_out, to allow the trusted hosts on the inside network to access Web Server1 and DNS. The ACL is applied on the DMZ interface in the outbound direction. Example 5-26 shows the relevant configuration of the ASA in Chicago.

Example 5-26. ASA's Full Configuration Using Inbound and Outbound ACLs

Chicago# show running

ASA Version 7.0(1)

! GigabitEthernet0/0 interface set as outside

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

! GigabitEthernet0/1 interface set as inside

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 209.165.202.129 255.255.255.224

! GigabitEthernet0/2 interface set as DMZ

interface GigabitEthernet0/2

 nameif DMZ

 security-level 50

ip address 209.165.201.1 255.255.255.224

! Hostname of the security appliance

hostname Chicago

! Network Object-group to group the web-servers

object-group network DMZ_Web_Servers

 network-object host 209.165.201.10

 network-object host 209.165.201.11

 network-object host 209.165.201.12

! Network Object-group to group the Email-servers

object-group network DMZ_Email_Servers

 network-object host 209.165.201.20

 network-object host 209.165.201.21

! Access-list to filter inbound traffic on the outside interface

access-list outside_in remark ACL to block inbound traffic on the outside interface

access-list outside_in extended permit tcp any object-group DMZ_Web_Servers eq www

access-list outside_in extended permit tcp any object-group DMZ_Email_Servers eq

smtp

access-list outside_in extended deny ip any any log

! Access-list to filter outbound traffic on the DMZ interface

access-list DMZ_out remark ACL to block outbound traffic on the DMZ interface

access-list DMZ_out extended permit tcp 209.165.202.128 255.255.255.224 host

209.165.201.10 eq www

access-list DMZ_out extended permit udp 209.165.202.128 255.255.255.224 host

209.165.201.30 eq domain

! Access-list bound to the outside interface in the inbound direction

access-group outside_in in interface outside

! Access-list bound to the DMZ interface in the outbound direction

access-group DMZ_out out interface DMZ

! Default route is pointed to the outside interface

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

 

Enabling Content Filtering Using Websense

SecureMe wants to enable content filtering for its users to ensure that they do not access certain sites such as pornographic and gaming sites. The administrator has set up a Websense server to filter out the URLs if the packets are destined for these Internet sites using the HTTP, HTTPS, or FTP protocols. The administrator does not want to overload the filtering server by sending the duplicate request for the same source and destination addresses. SecureMe's policy allows users to go through the security appliance if the filtering server is unavailable. Additionally, if the reply from the content server arrives before the response is received from the filtering server, SecureMe wants the security appliance to buffer the reply rather than drop it.

To meet the company's goals, the administrator has specified a Websense server as a URL-filtering device in the network that is located on the DMZ interface at 209.165.201.50, as illustrated in Figure 5-9. To avoid overloading the filtering server, the maximum simultaneous limit is set to 15, while the server's responses are cached by allocating 100 KB of memory space. The security appliance is set up to buffer replies from the filtering server by using the url-block block command to store up to 128 packets.

Figure 5-9. SecureMe Network Using Content Filtering

Example 5-27 shows the complete configuration for Cisco ASA used in this deployment.

Example 5-27. ASA's Full Configuration Using a URL-Filtering Server

Chicago# show run

ASA Version 7.0(1)

! GigabitEthernet0/0 interface set as outside

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.224

! GigabitEthernet0/1 interface set as inside

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 209.165.202.130 255.255.255.224

! GigabitEthernet0/2 interface set as DMZ

interface GigabitEthernet0/2

 nameif dmz

 security-level 50

 ip address 209.165.201.1 255.255.255.224

! Hostname of the security appliance

hostname Chicago

! Access-list to filter inbound traffic on the outside interface

access-list outside_in remark ACL to block inbound traffic on the outside interface

access-list outside_in extended deny ip any any log

! Access-list to filter inbound traffic on the inside interface

access-list inside_in remark ACL to block inbound traffic on the inside interface

access-list inside_in extended permit tcp 209.165.202.128 255.255.255.224 any eq www

! Access-list bound to the outside interface in the inbound direction

access-group outside_in in interface outside

! Access-list bound to the inside interface in the inbound direction

access-group inside_in in interface inside

! Default route is pointed to the outside interface

route outside 0.0.0.0 0.0.0.0 209.165.200.226 1

url-server (dmz) vendor websense host 209.165.201.50 timeout 30 protocol TCP version

4 connections 15

url-cache src_dst 100

filter url http 209.165.202.128 255.255.255.128 0.0.0.0 0.0.0.0 allow

filter https 443 209.165.202.128 255.255.255. 128 0.0.0.0 0.0.0.0 allow

filter ftp 21 209.165.202.128 255.255.255. 128 0.0.0.0 0.0.0.0 allow

!

url-block block 100


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net