Configuring advanced routing on Cisco ASA firewalls
The configuration of Cisco ASA firewalls follows the same rules as the Cisco router configuration, however the commands are slightly different.
|
|
Caution:
Source NAT (IP spoofing) is not supported in case of Cisco ASA firewalls. This means that with Cisco ASA, you cannot spoof the source IP towards the destination servers, therefore the source of the connections will be SCB's IP address. |
The following describes how to configure a Cisco ASA Firewall to redirect selected traffic to SCB instead of its original destination. This procedure should work on most modern Cisco ASA software releases, but was specifically tested on Cisco Adaptive Security Appliance Software Version 9.6(2)3
To configure a Cisco ASA Firewall to redirect selected traffic to SCB instead of its original destination
-
Define network objects that match the subnets or hosts that you want to monitor:
!Define SSH and RDP hosts/subnets as desired below object network SSHHosts subnet <SSHHosts Subnet IP> <SSHHosts Subnet Netmask> object-group network SSHtoSCB network-object object SSHHosts object network RDPHost host <RDPHost IP> object-group network RDPtoSCB network-object object RDPHost
-
Create an ACL (Access Control List) entry that matches the objects above
!Allow RDP and SSH and their reply packets to SCB access-list acl_pbr_ToSCB extended permit object rdp3389 any object-group RDPtoSCB access-list acl_pbr_ToSCB extended permit object rdp3389-response object-group RDPtoSCB any access-list acl_pbr_ToSCB extended permit object ssh22 any object-group SSHtoSCB access-list acl_pbr_ToSCB extended permit object ssh22-response object-group SSHtoSCB any
Keep in mind that whatever is permitted by this ACL is what will be matched, so make sure that the scope of the ACL entry is narrowed down as much as possible.
TIP: Cisco ACLs use inverse netmasks for defining network addresses. To calculate an inverse mask given a subnet mask, simply subtract each octet value from 255.
-
Create a route-map entry. It controls which packets are affected by policy routing and where they should be forwarded to. The match commands specify the conditions under which policy routing occurs. The set commands specify the routing actions to perform if the criteria enforced by the match commands are met. A new route-map can be defined as follows:
!Define routing to SCB route-map ToSCB permit match ip address acl_pbr_ToSCB set ip next-hop <SCB IP>
Apply the route-map to the appropriate interfaces.
!Set it on interface as needed interface <interface-facing-to-the-servers> ip policy route-map ToSCB
Expected result:
The traffic from the clients targeting the specified port of the servers is redirected to SPS. Therefore, SPS can be configured to control and audit this traffic.
The full configuration for the above topology:
! !Define SSH and RDP hosts/subnets as desired below object network SSHHosts subnet <SSHHosts Subnet IP> <SSHHosts Subnet Netmask> object-group network SSHtoSCB network-object object SSHHosts object network RDPHost host <RDPHost IP> object-group network RDPtoSCB network-object object RDPHost ! !Allow RDP and SSH and their reply packets to SCB access-list acl_pbr_ToSCB extended permit object rdp3389 any object-group RDPtoSCB access-list acl_pbr_ToSCB extended permit object rdp3389-response object-group RDPtoSCB any access-list acl_pbr_ToSCB extended permit object ssh22 any object-group SSHtoSCB access-list acl_pbr_ToSCB extended permit object ssh22-response object-group SSHtoSCB any ! !Define routing to SCB route-map ToSCB permit match ip address acl_pbr_ToSCB set ip next-hop <SCB IP> ! !Set it on interface as needed interface <interface-facing-to-the-servers> ip policy route-map ToSCB
