ASA 5510 not hits ever in the Acess Rule winodw means?

Hey guys

I am cleaning up my ASA configs many old stuff not even working. I look daily and watch in our ACCESS RULE winow
for DMZ interface zero 0 hits and everything else has numbers in them for hit.

does 0 hits mean for the most part the rule is not needed anymore to me i think he used it for testing only
but cant be sure. I shut some ofthem off and 1 week has gone by and everything here still works
- i think? hahahah but what ya think just disable it and not remove it is what I amgoing to do and just wait
and see if it affects anything..

Find more posts tagged with

Comments

networker050184

No one here can tell you what to do. We don't know your network or the applications that run over it.

Chipsch

+1 networker050184

On a side note though cleaning up a firewall can be a daunting task because you never can be to sure if the rule is needed anymore. I personally just had the joy of cleaning one out and it took a long long time but at the end I was able to remove 1200 lines. There was a lot of coordination to make that happen though. A lot.

itdaddy

I know you cant tell me what to do. I am just asking for confirmation on wisdom. Man it pisses me off there is so much unneeded ACLs makes me sick
I mean no hits at all. and well I will have to play Cause and Effect. That is how I am doing my documentation. The other day. I remove some ACLs and was ready to paste back in and got phone call our internet banking was down. LOL! well now you know. But I pasted it right back in and bam it was right back up and so I noted on my documentation what subnets where for what services. It is very hard buut I think thru patience and good documenting I can finally have peace of mind. I hate it when I have no clue what this is for. The guy before me never had the engineer make good notes. yeah he has some objects named but he named them IP209.23.12.24 what good does that do me? how about say CavionVPN-LAN-in something like that but thank God I have the time to do it and I do know 90 % of what is going on. All I now is when I leave here the next guy will have a cake job. okay it is kind of fun but crazy crap if you know what I mean

hahha a Labor of love kind of thanks guys

drkat

Oh jesus h... guys

zero hits means that the traffic dont match! so if you're getting zero hits.. well guess it's not really ruling anything, or its in the wrong direction. We cant consult, but atleast we can be a bit more helpful than "i dont know your network.. blah blah blah"

fluk3d

Disable the rule for a certain amount of time, if someone complains chances are that rule is needed otherwise document it, and remove it. In the future your organization might want to look into setting up a rule-base with a change management process to track firewall rule updates etc..

itdaddy

fluke3d
check this out wow! I know for a fact these configs in the NAT acces section and the ACL under the DMZ interface are not needed at all.
I had a CCIE security lookat it to confirm what I was thinking he said same thing. but I will ask him more questions but he is on the clock and thought
I would ask you guys since you guys have more experience that I do.

Okay it seems when I remove these configs via ASDM it seems to break the firewall? I uncheck the ACLs vs remove them entirely.
Should I instead 1st make copies of the working firewall just in case maybe 2 copies

then
go to CLI and remove them via command line and wr mem it in CLI
the reboot fwl. is that a much cleaner remove of old configs?

or should I copye the config 2x
and then remove them in command line. make copye of the after removal state and the bounce firewall
then paste configs that I want clean into asa???

it just seems I have to do something inthis fashion...we have only had the asa 6 years but I am at a loss here.
the configs are bogus logically but seem to be needed in ASA else it breaks the fwl and cause all kinds of havoc??

help!
guys

itdaddy

thanks drkat for your help that you dont know my network blah blah...I appreciate your help I just need some wisdom andsome techniques. I know my network well and thanks man

networker050184

drkat wrote: »

Oh jesus h... guys

zero hits means that the traffic dont match! so if you're getting zero hits.. well guess it's not really ruling anything, or its in the wrong direction. We cant consult, but atleast we can be a bit more helpful than "i dont know your network.. blah blah blah"

Yeah we should tell people to change their production network anonymously over the internet. Looks like he broke it using your advice!

itdaddy

no no no! I didt break taking your advice it is breaking when you remove configs that no longer are needed.
I put the configs back and it is working fine but the old configs do not belong there just needed advice on how to go about cleaning it up?
that is all...

itdaddy

Lesson learned- screw the ASDM..make a backup copy of your conifgs. do not uncheck them remove them from the CLI and then do a WR mem after
then do you test to see if they are needed anymore ASDM sucks for saving even though it has the right commands and does a wr mem it sucks.
what a headache I have gone thru because of such a $#$%#$&^#&^ product from cisco. CLI rules

vpn now working great and ASA not brokeen any more

just back asa up and then remove all bogus old configs via CLI and the wr mem it
and bam all fixed. just use your ASDM for a vidual tool only but nothing beats command line period!
bar none!

instant000

At this point, I would recommend your reading some documentation on the ASA Firewall, as far as how it works and everything.

I co-sign with not knowing what to do for your network.

This would be the simplest way to go about it.

1. Document all internal IP space. (since it's within your company, you should be able to do this.) .. try to at least document it down to which subnet goes to which departments.
2. Document anything external that hits internal IP space.
3. Contact the affected user department to see what they're using it for (if at all)
4. During a change window (and in coordination with the affected user dept) take the line out ... if something breaks, then put it back in.

One thing you're going to have to do, that's going to bite, is this:
Typically, firewalls have very BROAD rules in them, that need to be tightened down. You actually have to know the network better than the people that use it. You need to coordinate with the server people, the app people, basically everyone who runs an app across the network. You are going to have to analyze logs, and document what traffic goes across the network.

Oh yeah, one more thing:
Just deleting "zero hit lines" is NOT GOING TO CUT IT.

The primary reason for that is this: some connections are "stateful" and they will just sit there, using the existing connection that went through, but they only have to make particular connections on their initial request. Only when they have to make that request again, will they have to use that particular ACL, but it could be the beginning connection for a series of connections a particular application has to make.

I worked in a place that removed a "zero hit" ACL in April. It was September when they were notified about an app not working, and it was because one of the initial connections the app makes had to do with a removed ACL. As long as the app was up and running, no big deal. They happened to reboot the servers, then they had to make this initial connection, and it didn't work.

So, removing zero hits isn't as safe as it would appear to be.

Hope this helps.

itdaddy

instant000

I agree with you on the not removing based soley on zero hits. I looked at the reasoning and called in a CCIE Security who agree that the ACLs were written poorly. I always get a 2nd opinion and make backups of everything. I am going thru our entire network documentation everything like it shouldbe for peridic updates. thanks for all your advice. thingsworkut I still have my old configs jus in case and have kept record justin caseies hee hee; thanks
guys

instant000

Great point: always good to have backups.

Also, while you're making any changes, try to "log" what you're doing. Most clients should be able to support this, such as putty, or SecureCRT.

For changes, I'd advise the following:
1 - logging
2 - implementation, verification and rollback plan
3 - reload in 5
4 - ability to get console access, if required (even the best plans can call victims to a slipped finger)
5 - change window
6 - written consent to make changes
7 - config backup
8 - os backup
9 -device backup (as in having a working spare)
10 - contact info for TAC (you know, just in case)

I want to recommend a book to you:
Network Administrator's Survival Guide. It might be helpful.
And if you haven't already, Network Warrior would be pretty good, also.

itdaddy

Instant000
I cut and pasted what you said and have kept it for my notes. I can tell you are an experienced veteran.
I do greatly appreciate your well earned wisdom. Thanks man! Will do..you the man!
-Robert(itdaddy)