?
Solved

ACL's not working as expected.

Posted on 2008-01-24
8
Medium Priority
?
434 Views
Last Modified: 2010-04-09
I'm manually migrating a PIX 506e to a ASA 5505 (Since the PIX doesn't have enough memory to load 7.x on, so I can't seamlessly migrate the config.)

My ACL's to allow some external access in to my servers are not working properly. Everything is getting dropped. When I run the Packet Tracer, it shows everything is dropped by the implicit rule - it's like the packets aren't matching my ACLs properly.

I'm guessing that my understanding of how the ACL's work on the different interfaces, and for different directions is somehow wrong, and I need to adjust how I am doing things, but I'm not sure what I am missing, or how I am wrong.

I am a Cisco-novice, and completely self-taught, so it is easy to believe that I am missing something obvious.

The internet is working fine outbound, and my Inside ACL's work properly.

I have static NAT with PAT routes setup to map the internal machines to their external addresses. (PAT because I use one external IP for services provided by different internal machines.)

My NAT entries look like this (with obfuscated IPs):

static (inside,outside) tcp 6.21.24.227 https TANSRVEXCH https netmask 255.255.255.255
(more entries just like this, but with different ports and hosts defined)

Then the ACLs looks like this:
access-list outside_access_in extended permit tcp any host TANSRVEXCH object-group EXCH_IN
(again, more entries just like this defined)

I've also tried it like this:
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN

On the PIX, within the ASDM it would be entered like the first case above, and from the command-line it would look like the second case above. I'm not sure which I am supposed to do, or if it even matters.

In either case, nothing in the TCP group "EXCH_IN" gets through. Everything is dropped by the implicit rule.

The configuration is almost identical to the config of the PIX that is presently working perfectly.

While I'm asking, does anyone have a link to a good explanation of how the inside, outside in/out ACL's work? I suspect that that is where I am going wrong, because I don't fully understand what in/out mean for the two interfaces.

Thanks!
0
Comment
Question by:netmergence
  • 5
  • 3
8 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20738538
When you construct the ACL's, you need to specify the outside (public) IP address for the destination address.  For example, rather than this:

access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN

try this:

access-list outside_access_in extended permit tcp any interface outside object-group EXCH_IN

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 1000 total points
ID: 20738566
Almost forgot...that command I just posted is for when you are using the PIX outside interface IP address itself for your static translations.  Is the "6.21.24.227" address assigned to your PIX outside interface?  If not, then you would  use this command instead:

access-list outside_access_in extended permit tcp any host 6.21.24.227 object-group EXCH_IN

One other note: if you are using the outside interface IP address for PAT, then you should also change the syntax of your port redirection commands, like this:

static (inside,outside) tcp interface https TANSRVEXCH https netmask 255.255.255.255

Again, only do that if you are using the PIX outside interface IP itself for your PAT.  If you are using a separate public IP address that you have available, then use your existing syntax for the static command and try the "access-list" syntax in this post.
0
 

Author Comment

by:netmergence
ID: 20738699
Okay, that is working, but with one odd twist that I don't fully understand.

I am using a different external IP than the outside interface, so your second comment was well-stated.

Here is what is odd; if I use the actual external IP that I want, it works perfectly. If I use the IP Address Object name, it doesn't. For example:
{
access-list outside_access_in extended permit tcp any host 6.21.24.227 object-group EXCH_IN
}
Works perfectly. However:
{
name 6.21.21.227 mail.[mydomain].com
...
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN
}
Does not.

Any idea why that would be? Am I not supposed to use Address Objects in ACL's? It sure makes the config more readable.

Thanks!
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
LVL 28

Expert Comment

by:batry_boy
ID: 20738737
You should be able to use names in your ACL's just fine.  I use them all the time, with one slight difference than how you are using them.  I never assign FQDN style names to IP addresses in the PIX or ASA configuration...I just use a single name, like "mail" or "webserver" or something generic like that.  I'm wondering if the PIX is having a problem with the syntax of the names you are using.

Have you tried using something like this instead to see if it works?

name 6.21.21.227 mailserver
access-list outside_access_in extended permit tcp any host mailserver object-group EXCH_IN
0
 

Author Comment

by:netmergence
ID: 20738748
I discovered that probably as you were typing your message. I changed them to abreviated names, using underscores rather than periods, and it worked. Apparently it doesn't like the periods.

Thanks!
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20738765
Good deal!
0
 

Author Comment

by:netmergence
ID: 20739094
I take it back!

It is still working, but I take back that it didn't like the periods.

After going through all of that, some of the ports in my groups were working, and others were not. Attempting to delete one ACL, I got a strange error that it didn't exist. (It did)

I ended up completely deleting all of my ACL's and groups, and re-creating them all. (I only have a half-dozen or so, so it didn't take long) After I did that, it all worked flawlessly. Just as a test, I renamed one of my external IP's to the FQDN including the periods, and then tested it. It took it with no problems.

I'm not sure what was tounge-twisted, but something wasn't happy, and it apparently had nothing to do with the periods.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20739103
That's good info to know...thnx for the update!
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question