Continuing INE Security Volume 1

I hate nothing more than having to spend time doing something other than studying. Turns out, I needed IIS/FTP/Telnet servers installed on the Windows 2003 box. Problem is, I am not where the server is and couldn't get the 2003 CD in the server. Anyway, I installed a couple of free utilities and moved on.

• Access lists - these are similar to IOS, but without the 'ip access-list' context.
• Object Groups - When creating a service group, you need to specify tcp, udp, tcp-udp or default. Under default, you can specify other protocols than tcp and udp or a combination of such.
• The syntax threw me for a loop as it is something I haven't really dealt with before. 
• You can also nest the object groups
• After creating the object-group, you add the objects such as service-object, port-object, etc.
• You can then reference these object groups in the ACL - but you need to place them in the correct location.

ASA1# sh run object-group 

object-group network SERVERS

 network-object host 10.0.0.100

object-group network ROUTERS

 network-object 136.1.121.0 255.255.255.0

object-group icmp-type COMMON_ICMP

 icmp-object echo

 icmp-object echo-reply

 icmp-object time-exceeded

 icmp-object unreachable

object-group service TRC_PORTS udp

 port-object range 33434 33464

object-group service SERVER_PORTS tcp

 port-object eq www

 port-object eq ftp

object-group service ROUTER_PORTS tcp

 port-object eq telnet

 port-object eq ssh

 port-object eq 7001

ASA1# sh run access-list 

access-list OUTSIDE_IN extended permit icmp any any object-group COMMON_ICMP 

access-list OUTSIDE_IN extended permit udp any any object-group TRC_PORTS 

access-list OUTSIDE_IN extended permit tcp any object-group SERVERS object-group SERVER_PORTS 

access-list OUTSIDE_IN extended permit tcp any object-group ROUTERS object-group ROUTER_PORTS 

access-list OUTSIDE_OUT extended permit icmp any any object-group COMMON_ICMP 

access-list OUTSIDE_OUT extended permit udp any any object-group TRC_PORTS 

access-list OUTSIDE_OUT extended permit tcp any any object-group ROUTER_PORTS 

access-list OUTSIDE_OUT extended permit tcp any any object-group SERVER_PORTS 

• For those of you that have never worked on an ASA before, you can't just 'no ip access-list TST'. You have to use the 'clear configure access-list TST' instead.
• There is no access-group like command like IOS for vty/remote access. There is just a simple 'telnet' and 'ssh' command. You configure what networks on what interfaces are allowed to access that particular service. ADSM is similar using the 'http' command. Don't think to use an access-list here, which was my mistake. And weird...

And with that...I didn't make it much farther. After fighting with my windows server, and then fighting with ASDM, I only made it through another 12 pages. Hoping to get some more work in tomorrow.