[LINICKX].com » asa

Cisco ASA Firewalls and IP Ranges in ACLS

Nick — Fri, 29 Jul 2011 15:05:55 +0000

I’ve google’d and I cannot find a way of creating a firewall range style object in an ASA, you know the kind of thing whereby you want to allow IP addresses 192.168.1.10 thru 192.168.1.20 in an ACL.

In my frustration I have given up and created a shell script which converts a CSV into an ASA output, simply create a two column CSV with Col A containing your starting IP and Col B containing you end IP.

The script is a recursive loop so should support large outputs such as 10.1.2.10 to 10.2.1.20 howvere I’m not actually sure you’d want that in your firewall config but I wrote the computability for the fun it!

Have fun, click “more” below if you can’t see the script!

#!/bin/bash

# Commas separated VAR....
IFS=","
while read name firstip lastip
# Loop around CSV
do

# Split up our first ip into it's octects
firstipfirstoctect=$(echo $firstip | awk -F "." '{print $1}')
firstipsecondoctect=$(echo $firstip | awk -F "." '{print $2}')
firstipthirdoctect=$(echo $firstip | awk -F "." '{print $3}')
firstipforthoctect=$(echo $firstip | awk -F "." '{print $4}')

# Split up our last IP into it's ocects
lastipfirstoctect=$(echo $lastip | awk -F "." '{print $1}')
lastipsecondoctect=$(echo $lastip | awk -F "." '{print $2}')
lastipthirdoctect=$(echo $lastip | awk -F "." '{print $3}')
lastipforthoctect=$(echo $lastip | awk -F "." '{print $4}')

	# Re-set BASH
	unset IFS 

	# Echo out the object GROUP name
	echo "object-group network $name"

	# Loop through 1st Octect
	for a in `seq $firstipfirstoctect $lastipfirstoctect`;
	do
		# test to see if we need to print the whole range
		if [ $firstipfirstoctect -lt $lastipfirstoctect ]
		then
			firstipsecondoctectCOUNTER="0"
			lastipsecondoctectCOUNTER="255"
		fi

		# first IP might not be 1
		if [ $a -eq $firstipfirstoctect ]
		then
			firstipsecondoctectCOUNTER=$firstipsecondoctect
		fi

		# last IP might not be 255
		if [ $a -eq $lastipfirstoctect ]
		then
			lastipsecondoctectCOUNTER=$lastipsecondoctect
		fi

			# Loop through 2nd Octect
			for b in `seq $firstipsecondoctect $lastipsecondoctect`;
			do

				# Same tests as before except, next octect.
				if [ $firstipsecondoctect -lt $lastipsecondoctect ]
				then
					firstipthirdoctectCOUNTER="0"
					lastipthirdoctectCOUNTER="255"
				fi

				if [ $b -eq $firstipsecondoctect ]
				then
					firstipthirdoctectCOUNTER=$firstipthirdoctect
				fi

				if [ $b -eq $lastipsecondoctect ]
				then
					lastipthirdoctectCOUNTER=$lastipthirdoctect
				fi

					# Loop through 3rd Octect
					for c in `seq $firstipthirdoctectCOUNTER $lastipthirdoctectCOUNTER`;
					do

						# copy / paste / tweak
						if [ $firstipthirdoctect -lt $lastipthirdoctect ]
						then
							firstipforthoctectCOUNTER="0"
							lastipforthoctectCOUNTER="255"
						fi

						if [ $c -eq $firstipthirdoctect ]
						then
							firstipforthoctectCOUNTER=$firstipforthoctect
						fi

						if [ $c -eq $lastipthirdoctect ]
						then
							lastipforthoctectCOUNTER=$lastipforthoctect
						fi

							# final octect... echo result.
							for d in `seq $firstipforthoctectCOUNTER $lastipforthoctectCOUNTER`;
							do
								echo " network-object $a.$b.$c.$d  255.255.255.255"
							done

					done
			done
	done

done<./FirewallRanges.csv

Copyright © 2012 [LINICKX].com. This Feed is for personal non-commercial use only. Please check my Site Terms and Conditions for full details on copyrights. If you have any concerns with the content of this feed you may contact me here.
WP Copyright Plugin

Cisco ASA – First steps to a Check Point Style Policy

Nick — Wed, 01 Dec 2010 10:14:40 +0000

I’ve just spotted this in the Cisco ASA 8.3 release notes…

You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.

The following command was modified: access-group global

For users/companies which have migrated from Check Point to Cisco (usually to save on licensing fees), getting their head around a new interface level policy rather than a system (global) level is usually a bit of a challenge.

I’m looking forward to seeing if this really helps with policy migrations!

Irritating ASDM & Java issues…

Nick — Wed, 20 May 2009 17:02:37 +0000

Follow up from this tweet. Every time I tried to connect to the ASA’s ASDM Java would crash with a Null Pointer exception, I tried everything from deleting the .asdm folder in my home directory (my documents on windows), uninstalling the asdm launcher didn’t help, neither did clearing java’s cache or uninstalling and re-installing java.

In the end i had to downgrade, very frustrating!

Strange ASA ARP Replying Behavior

Nick — Thu, 10 Jul 2008 09:02:29 +0000

I’ve been implementing a few Cisco ASA’s recently, and I blogged about this strange behavior; well I came across another one yesterday.

Take a look at this debug arp….

CiscoASA# debug arp
debug arp  enabled at level 1
CiscoASA#
CiscoASA# arp-set: added arp outside 192.168.1.122 001e.7000.1234 and updating NPs at 4301321940
arp-set: added arp inside 192.168.1.61 001a.7100.1234 and updating NPs at 4301321940

arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.120 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.120, on outside
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
arp-in: generating reply from 192.168.1.120 001e.7a51.1234 to 192.168.1.125 001a.3000.1234

arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.73 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.73, on outside
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
arp-in: generating reply from 192.168.1.73 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.69 001e.7a51.1234

arp-in: rqst for me from 192.168.1.125 for 192.168.1.69, on outside
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
arp-in: generating reply from 192.168.1.69 001e.7a51.1234 to 192.168.1.125 001a.3000.1234

arp-in: request at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.123 001e.7a51.1234
arp-in: rqst for me from 192.168.1.125 for 192.168.1.123, on outside
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
arp-in: generating reply from 192.168.1.123 001e.7a51.1234 to 192.168.1.125 001a.3000.1234
arp-in: response at outside from 192.168.1.125 001a.3000.1234 for 192.168.1.125 ffff.ffff.ffff
arp-in: updating gratuitous ARP 192.168.1.125 - 001a.3000.1234
arp-set: added arp outside 192.168.1.125 001a.3000.1234 and updating NPs at 4301326660
CiscoASA#

The firewall is replying to arp requests even though both the source & destination of the traffic are on the same (outside) interface, now I haven’t manged to work out why the firewall was doing this, but I did find a fix on the cisco forums.

sysopt noproxyarp outside

Names, IPs & MAC’s have been changed to protect the innocent.

Cisco ASA and 7905 IP Phone Weirdness

Nick — Tue, 24 Jun 2008 08:30:04 +0000

I came accross something odd the other day, I had some Cisco IP Phones on a DMZ interface and the Call Manager was behind the inside interface. If you made a call from a 7940 to a 7940 everything worked fine, if you made a call from a 7905 to a 7940 it failled!

I ran a packet capture and found that the phone was “bouncing” the RTP stream off the firewall rather than connecting directly to the peer phone… very weird! The problem was solved by enabling…

same-security-traffic permit intra-interface

I thought I post this for some future googlers!

Backup Interface on Cisco ASA Firewall

Nick — Tue, 10 Jun 2008 18:06:45 +0000

I tweeted a little while ago about Nokia recently supporting interface failover within IPSO, well it looks like Cisco’s ASA Version 8 software can do it now too!

The following example creates two redundant interfaces:

asa(config)# interface redundant 1 asa(config-if)# member-interface gigabitethernet 0/0 asa(config-if)# member-interface gigabitethernet 0/1 asa(config-if)# interface redundant 2 asa(config-if)# member-interface gigabitethernet 0/2 asa(config-if)# member-interface gigabitethernet 0/3

Reference: Adding a Redundant Interface

OSPF & Cisco ASAs

Nick — Tue, 24 Jul 2007 15:41:15 +0000

One of the interesting things about ASA’s is the fact that it supports running two OSPF Processes. This was a great decision by cisco, if a business has two different OSPF domains the chances are they are owned by two separate parts of the business, so where would be a better place to put a firewall?

I’ve put together a basic lab / config to test out the functionality, obviously this doesn’t address IP conflicts which are quite likely to happen in a real world scenario, but you do get the general idea. In my cisco config directory you’ll find two router configs and an ASA config. Each router is intended to represent each ospf domain, the ASA will then re-distribute the routes into each process… Note: you’ll see some “show” commands at the end of the config files.

I actually put this together as a “just in case” type thing, but I expect this to come in very handy in the future !