ACL's not working as expected.

I'm manually migrating a PIX 506e to a ASA 5505 (Since the PIX doesn't have enough memory to load 7.x on, so I can't seamlessly migrate the config.)

My ACL's to allow some external access in to my servers are not working properly. Everything is getting dropped. When I run the Packet Tracer, it shows everything is dropped by the implicit rule - it's like the packets aren't matching my ACLs properly.

I'm guessing that my understanding of how the ACL's work on the different interfaces, and for different directions is somehow wrong, and I need to adjust how I am doing things, but I'm not sure what I am missing, or how I am wrong.

I am a Cisco-novice, and completely self-taught, so it is easy to believe that I am missing something obvious.

The internet is working fine outbound, and my Inside ACL's work properly.

I have static NAT with PAT routes setup to map the internal machines to their external addresses. (PAT because I use one external IP for services provided by different internal machines.)

My NAT entries look like this (with obfuscated IPs):

static (inside,outside) tcp 6.21.24.227 https TANSRVEXCH https netmask 255.255.255.255
(more entries just like this, but with different ports and hosts defined)

Then the ACLs looks like this:
access-list outside_access_in extended permit tcp any host TANSRVEXCH object-group EXCH_IN
(again, more entries just like this defined)

I've also tried it like this:
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN

On the PIX, within the ASDM it would be entered like the first case above, and from the command-line it would look like the second case above. I'm not sure which I am supposed to do, or if it even matters.

In either case, nothing in the TCP group "EXCH_IN" gets through. Everything is dropped by the implicit rule.

The configuration is almost identical to the config of the PIX that is presently working perfectly.

While I'm asking, does anyone have a link to a good explanation of how the inside, outside in/out ACL's work? I suspect that that is where I am going wrong, because I don't fully understand what in/out mean for the two interfaces.

Thanks!
netmergenceAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
When you construct the ACL's, you need to specify the outside (public) IP address for the destination address.  For example, rather than this:

access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN

try this:

access-list outside_access_in extended permit tcp any interface outside object-group EXCH_IN

0
batry_boyCommented:
Almost forgot...that command I just posted is for when you are using the PIX outside interface IP address itself for your static translations.  Is the "6.21.24.227" address assigned to your PIX outside interface?  If not, then you would  use this command instead:

access-list outside_access_in extended permit tcp any host 6.21.24.227 object-group EXCH_IN

One other note: if you are using the outside interface IP address for PAT, then you should also change the syntax of your port redirection commands, like this:

static (inside,outside) tcp interface https TANSRVEXCH https netmask 255.255.255.255

Again, only do that if you are using the PIX outside interface IP itself for your PAT.  If you are using a separate public IP address that you have available, then use your existing syntax for the static command and try the "access-list" syntax in this post.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
netmergenceAuthor Commented:
Okay, that is working, but with one odd twist that I don't fully understand.

I am using a different external IP than the outside interface, so your second comment was well-stated.

Here is what is odd; if I use the actual external IP that I want, it works perfectly. If I use the IP Address Object name, it doesn't. For example:
{
access-list outside_access_in extended permit tcp any host 6.21.24.227 object-group EXCH_IN
}
Works perfectly. However:
{
name 6.21.21.227 mail.[mydomain].com
...
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN
}
Does not.

Any idea why that would be? Am I not supposed to use Address Objects in ACL's? It sure makes the config more readable.

Thanks!
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

batry_boyCommented:
You should be able to use names in your ACL's just fine.  I use them all the time, with one slight difference than how you are using them.  I never assign FQDN style names to IP addresses in the PIX or ASA configuration...I just use a single name, like "mail" or "webserver" or something generic like that.  I'm wondering if the PIX is having a problem with the syntax of the names you are using.

Have you tried using something like this instead to see if it works?

name 6.21.21.227 mailserver
access-list outside_access_in extended permit tcp any host mailserver object-group EXCH_IN
0
netmergenceAuthor Commented:
I discovered that probably as you were typing your message. I changed them to abreviated names, using underscores rather than periods, and it worked. Apparently it doesn't like the periods.

Thanks!
0
batry_boyCommented:
Good deal!
0
netmergenceAuthor Commented:
I take it back!

It is still working, but I take back that it didn't like the periods.

After going through all of that, some of the ports in my groups were working, and others were not. Attempting to delete one ACL, I got a strange error that it didn't exist. (It did)

I ended up completely deleting all of my ACL's and groups, and re-creating them all. (I only have a half-dozen or so, so it didn't take long) After I did that, it all worked flawlessly. Just as a test, I renamed one of my external IP's to the FQDN including the periods, and then tested it. It took it with no problems.

I'm not sure what was tounge-twisted, but something wasn't happy, and it apparently had nothing to do with the periods.
0
batry_boyCommented:
That's good info to know...thnx for the update!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.