Cisco – ASA Inspection clarity

ciscocisco-asafirewall

i want to make sure i get this because it's driving me a bit mad.

class-map ftp 

 match port tcp eq 21 

class-map http 

 match port tcp eq 21 [it should be 80] 

policy-map test 

 class ftp 

  inspect ftp 

 class http 

   inspect http

This example on Cisco's site, they say " traffic destined to port 21 is mistakenly configured for both FTP and HTTP inspection ". So does that mean that the firewall creates a dynamic ACL for HTTP but how does that work with the destination port being port 21? This really confused me.

I'm assuming also that the purpose of the "inspect" command is to create a dynamic ACL or an exception in the firewall to all the traffic back into the network?

Again, i know it's a misconfiguration off Cisco site done on purpose to show what a misconfig looks like in regards to the inspect command and they say " traffic destined to port 21 is mistakenly configured for both FTP and HTTP inspection "

If an FTP packet was received on port 21, that would trigger both class-maps, does the ASA then create a dynamic ACL for both scr and dst addresses on ports 21 and 80?
That would seem logical to me but i'm not sure.

Cheers

Best Answer

First, there is no dynamic ACL going on here, and stateful inspection is not a factor, either. (But, read the last paragraph for an explanation of how FTP is special.) The firewall will perform stateful inspection regardless of the inspect commands you have configured. Thus, return traffic will always make it back through the firewall because of this stateful behavior, which you can see in the connection table by doing a show conn.

The purpose of an inspect statement is to invoke higher-OSI-layer examination. An example would be that the ESMTP inspection will drop connections where the SMTP client attempts to negotiate TLS. As you can see, that would be layer-7 examination to see that some payload did or did not contain something. That's what inspect statements do.

In contrast to the inspect statement, stateful inspection is only letting return traffic of already-permitted flows to come back through the firewall on the exact same ports on which they were initiated. That's layer 4 only.

Now, getting to the misconfig like the one you posted, my memory is a bit foggy from way-back when I read the documentation on this type of thing. If I remember correctly, the ASA will only process one inspect statement for any given flow of traffic. So, since the class ftp occurs first in the policy-map test, the traffic will be inspected by the FTP inspection and not the HTTP inspection.

Now, because of the way FTP was designed (multiple TCP streams, dynamic ports), the ASA's FTP inspection has an extra special behavior. It will dig into the payload of the packets on TCP port 21 to look for operations that will open the FTP data channel (which will use TCP port 20). When these operations occur, the FTP payload will contain the TCP destination port number (some random number above 1024) that shall be used, and the ASA will quickly respond by adding a temporary ACL for the SYN packet of the data channel to pass through the firewall. Once the SYN gets through the firewall, stateful inspection kicks in and grants the return traffic to be permitted automatically. To reiterate, letting the SYN packet through is the function of the inspect statement, where letting the return traffic through is a function of stateful inspection.

One final comment: you can actually permit FTP through your ASA firewall without using the inspect ftp statement (despite this port 20 behavior) by simply building an ACL that allows traffic between the client and the server on port 21, and between the client and server in both direction on TCP port 20. You would effectively be accomplishing what the inspect statement is intended to do. But that would be horrendously frowned upon by security folks. In contrast to that, you can not run your firewall without stateful inspection because (1) there is no way to turn it off that I know of, and (2) you would be removing all the security from inside your firewall.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Best Answer

Related Solutions

Cisco – How to tag traffic with a DSCP value on an ASA

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Related Topic