Sunday, July 4, 2021

Configuring Objects in a Cisco ASA Firewall

Here's a link about Cisco ASA Objects. I needed to "harden" our SIP connection to an external SIP gateway in the Internet. So instead of configuring multiple ACL entries, I configured Network and Service Objects on the Cisco ASA Firewall.

ciscoassa# configure terminal
ciscoassa(config)# object-group network SIP-EXTERNAL
ciscoassa(config-network-object-group)# network-object ?

network-object-group mode commands/options:
  Hostname or A.B.C.D                     Enter an IPv4 network address
  Hostname/<0-128> or X:X:X:X::X/<0-128>  Enter an IPv6 prefix
  host                                    Enter this keyword to specify a
                                          single host object
  object                                  Enter this keyword to specify a
                                          network object
ciscoassa(config-network-object-group)# network-object host 208.7.8.1
ciscoassa(config-network-object-group)# network-object host 208.7.8.2

ciscoassa(config)# object-group network SIP-INTERNAL
ciscoassa(config-network-object-group)# network-object host 192.168.1.6
ciscoassa(config-network-object-group)# network-object host 192.168.1.7

ciscoassa(config)# object-group service SIP-PROTOCOLS
ciscoassa(config-service-object-group)# service-object ?

dual-service-object-group mode commands/options:
  <0-255>  Enter protocol number (0 - 255)
  ah      
  eigrp   
  esp     
  gre     
  icmp    
  icmp6   
  igmp    
  igrp    
  ip      
  ipinip  
  ipsec   
  nos     
  object   Enter this keyword to specify a service object
  ospf    
  pcp     
  pim     
  pptp    
  sctp    
  snp     
  tcp     
  tcp-udp  Both TCP & UDP
  udp     
ciscoassa(config-service-object-group)# service-object udp ? 

dual-service-object-group mode commands/options:
  destination  Keyword to specify destination
  source       Keyword to specify source
  <cr>
dual-service-object-group mode commands/options:
  <0-65535>          Enter port number (0 - 65535)
  biff              
  bootpc            
  bootps            
  cifs              
  discard           
  dnsix             
  domain            
  echo              
  http              
  isakmp            
  kerberos          
  mobile-ip         
  nameserver        
  netbios-dgm       
  netbios-ns        
  nfs               
  ntp               
  pcanywhere-status 
  pim-auto-rp       
  radius            
  radius-acct       
  rip               
  secureid-udp      
  sip               
  snmp              
  snmptrap          
  sunrpc            
  syslog            
  tacacs            
  talk              
  tftp              
  time              
  vxlan             
  who               
  www               
  xdmcp                    
ciscoassa(config-service-object-group)# service-object udp destination ?

dual-service-object-group mode commands/options:
  eq     Port equal to operator
  gt     Port greater than  operator
  lt     Port less than operator
  neq    Port not equal to operator
  range  Port range operator
ciscoassa(config-service-object-group)# service-object udp destination eq 5060
ciscoassa(config-service-object-group)# service-object tcp destination eq 5060
ciscoassa(config-service-object-group)# service-object udp destination range 5000 60000

ciscoassa(config)# show object
object-group network SIP-EXTERNAL
 network-object host 208.7.8.1
 network-object host 208.7.8.2
object-group service SIP-PROTOCOLS
 service-object udp destination eq sip
 service-object tcp destination eq sip
 service-object udp destination range 5000 60000
object-group network SIP-INTERNAL
 network-object host 192.168.1.6
 network-object host 192.168.1.7

ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit ?

configure mode commands/options:
  <0-255>       Enter protocol number (0 - 255)
  ah           
  eigrp        
  esp          
  gre          
  icmp         
  icmp6        
  igmp         
  igrp         
  ip           
  ipinip       
  ipsec        
  nos          
  object        Specify a service object after this keyword
  object-group  Specify a service or protocol object-group after this keyword
  ospf         
  pcp          
  pim          
  pptp         
  sctp         
  snp          
  tcp          
  udp          
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group ?

configure mode commands/options:
  WORD  Service or protocol object-group name
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS ?                 

configure mode commands/options:
  A.B.C.D                Source IP address
  X:X:X:X::X/<0-128>     Source IPv6 address/prefix
  any                    Abbreviation for source address/mask of
                         0.0.0.0/0.0.0.0 OR source prefix ::/0
  any4                   Abbreviation of source address and mask of 0.0.0.0
                         0.0.0.0
  any6                   Abbreviation for source prefix ::/0
  host                   Use this keyword to configure source host
  interface              Use interface address as source address
  object                 Keyword to enter source object name
  object-group           Network object-group for source address
  object-group-security  Keyword to specify security object-group for source
  object-group-user      Keyword to specify user object-group for source
  security-group         Keyword to specify inline security-group
  user                   Keyword to specify user for source
  user-group             Keyword to specify user-group for source
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL ?                 

configure mode commands/options:
  A.B.C.D                Destination IP address
  X:X:X:X::X/<0-128>     Destination IPv6 address/prefix
  any                    Abbreviation for destination address/mask of
                         0.0.0.0/0.0.0.0 OR destination prefix ::/0
  any4                   Abbreviation for destination address and mask of
                         0.0.0.0 0.0.0.0
  any6                   Abbreviation for destination prefix ::/0
  host                   Use this keyword to configure destination host
  interface              Use interface address as destination address
  object                 Keyword to enter destination object name
  object-group           Network object-group for destination address
  object-group-security  Keyword to specify security object-group for
                         destination
  security-group         Keyword to specify inline security-group
ciscoassa(config)# access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL   // ONLY A SINGLE ACE

ciscoassa(config)# show run access-list
access-list SIP-OUTSIDE-IN extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL

ciscoassa(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list SIP-OUTSIDE-IN line 1 extended permit object-group SIP-PROTOCOLS object-group SIP-EXTERNAL object-group SIP-INTERNAL (hitcnt=0) 0xc506ba7b
  access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0xa581f8ec
  access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0xe8109d83
  access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0xcd331db8
  access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x401975dd
  access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.6 eq sip (hitcnt=0) 0x22d073e8
  access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.1 host 192.168.1.7 eq sip (hitcnt=0) 0x08a4966a
  access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.6 eq sip (hitcnt=0) 0x9747ecca
  access-list OUTSIDE_IN line 1 extended permit tcp host 208.7.8.2 host 192.168.1.7 eq sip (hitcnt=0) 0x41479753
  access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0x98df0f49
  access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.1 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x3542d660
  access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.6 range 5000 60000 (hitcnt=0) 0xcbde7f33
  access-list OUTSIDE_IN line 1 extended permit udp host 208.7.8.2 host 192.168.1.7 range 5000 60000 (hitcnt=0) 0x2b5bdc5b
 

No comments:

Post a Comment