Confusion with Firewalls

alliasneoalliasneo Member Posts: 186
Hi everyone,

I've had this happen twice now so thought I would post this up.

I'm configuring a basic firewall using CCP and I've selected my inside and outside interfaces and I was under the impression that it would create a rule that states any inside source addresses that try to come back in will be dropped? but I seem to have the opposite going on?



So this is saying anything going from inside to outside with 210.1.1.0/24 going to anything will be dropped?

I'm confused by this.

From my reading I understand that you wouldn't want your inside addresses (10.1.1.0/24) trying to come from the outside right?

Comments

  • emerald_octaneemerald_octane Member Posts: 613
    Hmmm. It is interesting that CCP didn't configure your 10 network rule as well. This might change depending on the security level you select (I always use medium or high).

    But yes the 120.1.1.0/24 rule is there/correct. Cisco (according to Keith B.) assumes that you should never have traffic that is or claims to be from your network , entering your network.
    Filter bogus traffic, and perform logging on that traffic. Some packets should never be allowed into your network. For example, if your network is the 23.1.2.0/24 network, there should never be a packet that is entering your network (from a remote network) which (based on its source address) claims it is also from the 23.1.2.0/24 network. Traffic from the RFC 1918 private address space is unlikely to be legitimate traffic if coming in from the Internet. Bogus traffic, such as the two examples just provided, should be filtered at the edges of the network. Even if you think your service provider will deny the traffic, you should implement the same filtering on your perimeter routers as well.
  • alliasneoalliasneo Member Posts: 186
    Thanks for the reference emerald_octane - very useful info.

    Perhaps this is due to the security level. In this particular example I've used the Low firewall setting so maybe that's it.
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    To add a tiny bit, the ASAs have a setting called "spoof protection" which is just as you said. No RFC1918 addresses incoming on the external interface.
  • TheNewITGuyTheNewITGuy Member Posts: 169 ■■■■□□□□□□
    CCP May not be the appropriate tool.
Sign In or Register to comment.