TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Configuring cisco asa and pix firewalls part3
1. Configuring Cisco ASA and PIX Firewalls-Part2
5. Working With Objects
Firewall Builder is based on the concept of objects. There are a variety of different
object types used to define IP objects that can be used as the Source and Destination
in your firewall rules. Two of the most common IP objects used in firewall rules
are Networks and Addresses.
Network Objects
To create the example Network object representing the internal 10.10.10.0/24
network shown in the diagram on the previous page, go to the object tree on the left
side of the screen and double-click the folder labeled Objects to expand it. Right click
on the folder called Networks and select “New Network”. This creates a new
network object. In the lower portion of your screen, called the Editor Panel, you can
modify the properties of this new network object.
Change the object name to something matching the function. In this example we
name it “Internal Network” to represent the network connected to our "inside"
interface. The address is set to 10.10.10.0 and the netmask is 255.255.255.0.
Figure 13. New Network Object
Note
When editing the attributes of an object there is no Apply or Submit button. Once
you edit an attribute, as soon as you move away from the field you were editing
the change immediately takes effect.
Address Objects
To create an object representing a single IP address, similar to the host parameter in
2. a Cisco access list, go to the object tree, right-click on the Addresses folder, and select
"New Address". In the Editor Panel change the name of the new address object to
something that reflects its function, for example “POP3 Server”. Also set the IP
address.
Figure 14. New Address Object
You may have noticed that we did not create any objects for the TCP services like
HTTP and SSH needed for the firewall object rules shown in the example. This is
because Firewall Builder comes with hundreds of predefined objects for commonly
used objects like TCP services.
6. Configuring Policy Rules (Access Lists)
After you have created a firewall object and network objects you can start to
configure the firewall's rules. When you create a firewall object, for
example asa-1 from our previous example, it is opened automatically in the object
tree and its Policy object is opened in the main window for editing. The Policy object
is where access list rules are configured.
To add a new rule to the Policy, click on the green icon at the top left of the main
window. This creates a new rule with default values set to deny all.
Figure 15. Default Rule
Every rule includes the following sections:
Source - this can be one or more IP objects. The default value is Any which is
the same as the "any" parameter in a Cisco access list that matches all IP
addresses.
Destination - this can be one or more IP objects. The default value is Any
which is the same as the "any" parameter in a Cisco access list that matches
all IP addresses.
Service - this can be one or more Service objects. Example services include
3. TCP and UDP protocols like HTTP and DNS. The default value is Any which
matches any IP service and is the same as the "ip" parameter in Cisco access
lists.
Interface - this can be one or more interfaces configured on the firewall
(router) object. The default value is All which means the rule will be applied
as an access list to all configured interfaces.
Direction - options are Inbound, Outbound, and Both. This defines whether
the resulting access-group will be applied to interfaces as "in" or "out". Both
will generate an identical rule for "in" and "out". The default value is Both.
Action - options are Accept and Deny. This matches the Cisco access list
parameters "permit" and "deny". The default value is Deny.
Options - options are Logging On and Logging Off. Setting Logging On matches
the Cisco access list parameter "log". The default value is Logging On.
Configuring a Rule
In the example below, the fields in the rule will be set to the values that match the
first rule from our example scenario (scenario rules shown in figure below). This first
rule controls SSH access to the firewall itself.
Figure 16. Scenario Rules
Setting the Source
To set the Source of a rule, drag-and-drop at least one IP object from the tree to the
Source field of your rule. For example, drag the Network object called Internal
Network that you created earlier to the Source column of the rule as shown below.
Figure 17. Setting the Source
After you drop the network object into the rule the Source field will change from Any
to Internal Network.
Figure 18. After Source is Set
4. Note
You can have more than one IP object in the Source and Destination fields. When
Firewall Builder generates the Cisco command line access lists it will automatically
split the rule into multiple lines if necessary.
Setting the Destination
Setting the Destination is exactly the same as setting the Source, except you
drag-and-drop IP objects in to the Destination field of the rule. For our first example
rule we want the Destination to be the "inside" interface of the firewall object.
Drag-and-drop the Ethernet0/1 object from the object tree to the Destination
column.
Figure 19. Setting the Destination
After you drop the interface object into the rule the Destination field will change
from Any to "inside", the label of the Ethernet0/1 interface.
Figure 20. After Destination is Set
Setting the Service
Firewall Builder comes with hundreds of predefined objects including Service objects
for almost all standard protocols. To access these objects switch to the Standard
library by selecting it from the drop down at the top of the Object tree window.
Figure 21. Switching Libraries
5. Services are located in the Services folder. In this rule we want to set the service to
SSH, so you would navigate to the SSH service by opening the Services folder, then
opening the TCP folder and scrolling down until you find the "ssh" object.
Once you find the ssh object, drag-and-drop from the tree on the left in to the
Service section of the rule in the Rules window.
Figure 22. Setting the Service
Note
To switch back to the User library, which contains objects you have created, click on
the drop down menu that says Standard and select User from the list of libraries.
Setting the Interface
If desired, set the Interface for the rule by dragging-and-dropping an interface object
from the firewall (router) object to the Interface section of the rule. This will
explicitly define which interface on the router that the access list will be applied to as
an "access-group".
Figure 23. Setting the Interface
6. Setting the Direction
The direction of the rule is based on the traffic you want to filter. Traffic coming in to
an interface should have the rule Direction set to Inbound and traffic going out of an
interface should have the rule Direction set to Outbound. In our example the
direction of the rule will be Inbound since it is controlling access to the firewall itself
on the "inside" interface. Right-click and set the direction to Inbound.
The Direction, Network Zone and the Interface settings in a rule will determine which
interfaces should have this rule applied.
Note
A word about Inbound vs. Outbound access lists: Older PIX versions did not support
outbound access lists on interfaces, so by default Firewall Builder emulates this
behavior. This means if you create an outbound rule on an interface, Firewall Builder
will convert that to inbound rules on all other interfaces. You can change this
behavior by editing the Firewall Settings for the firewall object and clicking the
checkbox next to "Generate outbound ACLs".
Setting the Action
The action controls whether traffic matching the rule should be permitted or denied.
Remember, all Cisco access lists have an implicit deny at the end of the list, so any
traffic that has not matched a rule that permits the traffic will be dropped. Right-click
and set the action to "Accept" to allow the SSH traffic from the local network to the
firewall.
Setting the Options
Logging for rule matches is set in the Options section. By default logging is turned on.
To turn logging off, right-click in the Options section and select Logging Off.
Example of a Complete Rule
The following is the first rule from our example which allows traffic from the internal
network to the firewall's inside interface that has a traffic type of SSH.
Figure 24. New Rule with Fields Set
7. 6.1. Additional Tips For Working with Rules
Adding a Rule
To add a new rule click the icon at the top of the Rules Editor window. This inserts
a new rule above the current rule. To add a new rule below the current rule
right-click on a rule and select "Add New Rule Below".
Figure 25. Adding Rules
Copy-and-Paste
In addition to drag-and-drop you can also copy-and-paste objects. For example, you
can right-click on the Internal Network object in the first rule and select Copy.
Navigate to the Source section of the new rule you just created and right-click and
select Paste.
Using Filters to Find Objects
Filters provide a way to quickly find objects in the tree without having to open
multiple folders and scroll. For example, if you wanted to use the POP3 protocol in a
rule you could use the filter to find it.
The POP3 protocol object is located in the Standard library, so select it from the
dropdown menu at the top of the Object Window. Type pop3 in to the filter field.
This will display all objects in the current library that contain pop3.
Figure 26. Using Filter to Find Objects
Note
After you are done with the filtered object, clear the filter field by clicking the X to
8. the right of the input box and then switch back to the User library by selecting it in
the dropdown menu at the top of the object panel.
Example of Completed Rules
For our example we needed to create two firewall rules. The completed firewalll
rules are shown in the diagram below.
Figure 27. Two Rules
More…
Cisco Guide: Migration of Cisco PIX 500 Series to Cisco ASA 5500 Series
Cisco PIX Firewall Basics