04.Security Policies.md

Security Policies

• Access Control Lists (ACLs)
  • Cisco ASA Access-List Introduction
  • Cisco ASA Remove Access-List
  • Cisco ASA Object-Group Access-List
  • Cisco ASA Time Based Access-List
• Security Levels
• Same Security Level Traffic

Cisco ASA Access Control Lists (ACLs) Configuration

Access Control Lists (ACLs) are a fundamental aspect of Cisco ASA security policies. They are used to control the flow of traffic through the firewall based on specified conditions. In this section, we'll cover the introduction to ACLs, removing ACLs, using object-group access-lists, and implementing time-based access-lists.

1. Cisco ASA Access-List Introduction

ACLs on Cisco ASA are used to permit or deny traffic based on various criteria, including source and destination IP addresses, protocols, and ports. Here's a basic example of creating an access-list:

# Enter global configuration mode
configure terminal

# Create an access-list to permit traffic from 192.168.1.0/24 to any
access-list acl_inside permit ip 192.168.1.0 255.255.255.0 any

In this example, acl_inside is the name of the access-list, and it permits traffic from the source network 192.168.1.0/24 to any destination.

2. Cisco ASA Remove Access-List

To remove an existing ACL, you can use the no form of the access-list command. For example:

# Enter global configuration mode
configure terminal

# Remove an access-list named acl_inside
no access-list acl_inside

This command removes the entire access-list named acl_inside.

3. Cisco ASA Object-Group Access-List

Object groups provide a way to simplify ACL configurations by grouping similar objects together. Here's an example:

# Enter global configuration mode
configure terminal

# Create an object group for web services
object-group service web-services
  service-object tcp eq www
  service-object tcp eq 443

In this example, an object group named web-services is created, including TCP services for HTTP (port 80) and HTTPS (port 443). Now, you can use this object group in an access-list:

# Use the object group in an access-list
access-list acl_outside permit object-group web-services any

This access-list permits traffic from any source to any destination using the specified web services.

4. Cisco ASA Time-Based Access-List

Time-based ACLs allow you to control when specific rules are active. Here's an example of a time-based ACL:

# Enter global configuration mode
configure terminal

# Create a time range named "work-hours" from 9 AM to 5 PM on weekdays
time-range work-hours
  periodic weekdays 9:00 to 17:00

Now, you can use the time range in an access-list:

# Use the time range in an access-list
access-list acl_inside permit ip any any time-range work-hours

This access-list permits traffic from any source to any destination, but only during the specified time range (weekdays from 9 AM to 5 PM).

Conclusion

These examples cover the introduction to Cisco ASA access-lists, removing access-lists, using object-group access-lists, and implementing time-based access-lists. Customize these configurations based on your specific network requirements and security policies.

Cisco ASA Security Levels and Same Security Level Traffic

Security Levels in Cisco ASA determine the trustworthiness of different networks connected to the firewall. By default, traffic is allowed from higher-security interfaces to lower-security interfaces, but it's denied in the reverse direction. Same Security Level Traffic refers to traffic between interfaces with equal security levels. In this section, we'll explain Security Levels and demonstrate how to permit Same Security Level Traffic.

Security Levels Overview

Cisco ASA Security Levels

The Cisco ASA Firewall utilizes "security levels" to define the trustworthiness of interfaces in comparison to one another. A higher security level indicates a higher level of trust for the associated interface. Each interface on the ASA is considered a security zone, and by assigning security levels, different trust levels are established for these security zones.

An interface with a higher security level can access an interface with a lower security level by default. However, traffic in the reverse direction is not allowed unless configured through an access-list.

Example Security Levels:

• Security Level 0:

  • Default assignment: "outside" interface.
  • Lowest security level.
  • Traffic from the outside interface cannot reach any other interfaces unless explicitly permitted within an access-list.

• Security Level 100:

  • Default assignment: "inside" interface.
  • Highest security level.
  • The inside interface, by default, can reach all other interfaces.

• Security Levels 1 – 99:

  • Customizable security levels.
  • Example: Security level 50 for a DMZ.
  • Traffic allowed from inside network to DMZ (security level 100 -> 50).
  • Traffic allowed from DMZ to the outside (security level 50 -> 0).
  • Traffic from the DMZ to the inside is not allowed by default (security level 50 cannot reach security level 100) unless configured through an access-list.

You can create as many security levels as needed for your network design and security requirements.

Permitting Same Security Level Traffic

To allow traffic between interfaces with the same security level, you need to use the same-security-traffic command. Let's go through the configuration steps:

Step 1: Assign Security Levels

Assign security levels to your interfaces in global configuration mode. For example:

# Enter global configuration mode
configure terminal

# Set security level for the inside interface to 50
interface GigabitEthernet0/1
  security-level 50

Repeat this for each interface that you want to configure.

Step 2: Permit Same Security Level Traffic

Allow Same Security Level Traffic in global configuration mode:

# Permit traffic between interfaces with the same security level
same-security-traffic permit inter-interface

This command allows traffic to flow between interfaces with the same security level.

Example

Assuming you have two interfaces, inside and outside, both with a security level of 50:

# Assign security levels to interfaces
interface GigabitEthernet0/1
  security-level 50

interface GigabitEthernet0/2
  security-level 50

# Permit Same Security Level Traffic
same-security-traffic permit inter-interface

Now, traffic is permitted between the inside and outside interfaces.

Step 3: Verify Configuration

Verify your configuration using the following command:

# Display information about all interfaces, including security levels
show interface

Check the security levels of your interfaces and ensure that Same Security Level Traffic is permitted.

Step 4: Save Configuration

Save your configuration to ensure it persists across reboots:

# Save the configuration
write memory

Conclusion

You have successfully configured Same Security Level Traffic on Cisco ASA. This allows traffic to flow between interfaces with equal security levels. Ensure that this configuration aligns with your security policies and requirements.

Customize these commands based on your specific interface names and security level preferences.

Next | Network Address Translation