Deployment Scenarios Using ACLs
Traffic filtering is the core functionality of any network or personal firewall. However, Cisco ASA integrates this core functionality with the novel features to provide a scalable packet identification and filtering mechanism that can be used in almost any environment. Although ACLs can be deployed in many different ways, this section covers the following two design scenarios for ease of understanding:
- Using ACLs to filter inbound and outbound traffic
- Enabling content filtering using Websense
Note
These design scenarios are discussed here to reinforce learning and thus they should be used for reference only.
Using ACLs to Filter Inbound and Outbound Traffic
SecureMe hosts three web servers, two e-mail servers, and a DNS server at its Chicago office. All of these servers are located on the DMZ network 209.165.201.0/27, as shown in Figure 5-8. SecureMe also provides connectivity to the Internet for its inside trusted users. However, the inside hosts are allowed to access only Web Server1 and DNS server on the DMZ network.
Figure 5-8. SecureMe ASA in Chicago Using ACLs
Table 5-10 lists all the servers and their corresponding IP addresses.
|
Server |
IP Address |
|---|---|
|
Web Server1 |
209.165.201.10 |
|
Web Server2 |
209.165.201.11 |
|
Web Server3 |
209.165.201.12 |
|
Email Server1 |
209.165.201.20 |
|
Email Server2 |
209.165.201.21 |
|
DNS |
209.165.201.30 |
To achieve these requirements, the administrator has configured an inbound ACL, called outside_in, with two object groups. The first network object group, DMZ_Web_Servers, groups all the HTTP servers. The second network group, DMZ_Email_Servers, groups both e-mail servers. Both network groups are bound to the ACL to allow the HTTP and SMTP traffic only. All other traffic gets denied and logged by the security appliance. This ACL is applied on the outside interface in the inbound direction.
To limit the inside traffic to the DMZ network, the administrator has configured another ACL, called DMZ_out, to allow the trusted hosts on the inside network to access Web Server1 and DNS. The ACL is applied on the DMZ interface in the outbound direction. Example 5-26 shows the relevant configuration of the ASA in Chicago.
Example 5-26. ASA's Full Configuration Using Inbound and Outbound ACLs
Chicago# show running ASA Version 7.0(1) ! GigabitEthernet0/0 interface set as outside interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.200.225 255.255.255.224 ! GigabitEthernet0/1 interface set as inside interface GigabitEthernet0/1 nameif inside security-level 100 ip address 209.165.202.129 255.255.255.224 ! GigabitEthernet0/2 interface set as DMZ interface GigabitEthernet0/2 nameif DMZ security-level 50 ip address 209.165.201.1 255.255.255.224 ! Hostname of the security appliance hostname Chicago ! Network Object-group to group the web-servers object-group network DMZ_Web_Servers network-object host 209.165.201.10 network-object host 209.165.201.11 network-object host 209.165.201.12 ! Network Object-group to group the Email-servers object-group network DMZ_Email_Servers network-object host 209.165.201.20 network-object host 209.165.201.21 ! Access-list to filter inbound traffic on the outside interface access-list outside_in remark ACL to block inbound traffic on the outside interface access-list outside_in extended permit tcp any object-group DMZ_Web_Servers eq www access-list outside_in extended permit tcp any object-group DMZ_Email_Servers eq smtp access-list outside_in extended deny ip any any log ! Access-list to filter outbound traffic on the DMZ interface access-list DMZ_out remark ACL to block outbound traffic on the DMZ interface access-list DMZ_out extended permit tcp 209.165.202.128 255.255.255.224 host 209.165.201.10 eq www access-list DMZ_out extended permit udp 209.165.202.128 255.255.255.224 host 209.165.201.30 eq domain ! Access-list bound to the outside interface in the inbound direction access-group outside_in in interface outside ! Access-list bound to the DMZ interface in the outbound direction access-group DMZ_out out interface DMZ ! Default route is pointed to the outside interface route outside 0.0.0.0 0.0.0.0 209.165.200.226 1
Enabling Content Filtering Using Websense
SecureMe wants to enable content filtering for its users to ensure that they do not access certain sites such as pornographic and gaming sites. The administrator has set up a Websense server to filter out the URLs if the packets are destined for these Internet sites using the HTTP, HTTPS, or FTP protocols. The administrator does not want to overload the filtering server by sending the duplicate request for the same source and destination addresses. SecureMe's policy allows users to go through the security appliance if the filtering server is unavailable. Additionally, if the reply from the content server arrives before the response is received from the filtering server, SecureMe wants the security appliance to buffer the reply rather than drop it.
To meet the company's goals, the administrator has specified a Websense server as a URL-filtering device in the network that is located on the DMZ interface at 209.165.201.50, as illustrated in Figure 5-9. To avoid overloading the filtering server, the maximum simultaneous limit is set to 15, while the server's responses are cached by allocating 100 KB of memory space. The security appliance is set up to buffer replies from the filtering server by using the url-block block command to store up to 128 packets.
Figure 5-9. SecureMe Network Using Content Filtering
Example 5-27 shows the complete configuration for Cisco ASA used in this deployment.
Example 5-27. ASA's Full Configuration Using a URL-Filtering Server
Chicago# show run ASA Version 7.0(1) ! GigabitEthernet0/0 interface set as outside interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.200.225 255.255.255.224 ! GigabitEthernet0/1 interface set as inside interface GigabitEthernet0/1 nameif inside security-level 100 ip address 209.165.202.130 255.255.255.224 ! GigabitEthernet0/2 interface set as DMZ interface GigabitEthernet0/2 nameif dmz security-level 50 ip address 209.165.201.1 255.255.255.224 ! Hostname of the security appliance hostname Chicago ! Access-list to filter inbound traffic on the outside interface access-list outside_in remark ACL to block inbound traffic on the outside interface access-list outside_in extended deny ip any any log ! Access-list to filter inbound traffic on the inside interface access-list inside_in remark ACL to block inbound traffic on the inside interface access-list inside_in extended permit tcp 209.165.202.128 255.255.255.224 any eq www ! Access-list bound to the outside interface in the inbound direction access-group outside_in in interface outside ! Access-list bound to the inside interface in the inbound direction access-group inside_in in interface inside ! Default route is pointed to the outside interface route outside 0.0.0.0 0.0.0.0 209.165.200.226 1 url-server (dmz) vendor websense host 209.165.201.50 timeout 30 protocol TCP version 4 connections 15 url-cache src_dst 100 filter url http 209.165.202.128 255.255.255.128 0.0.0.0 0.0.0.0 allow filter https 443 209.165.202.128 255.255.255. 128 0.0.0.0 0.0.0.0 allow filter ftp 21 209.165.202.128 255.255.255. 128 0.0.0.0 0.0.0.0 allow ! url-block block 100