ACL's not working as expected.
I'm manually migrating a PIX 506e to a ASA 5505 (Since the PIX doesn't have enough memory to load 7.x on, so I can't seamlessly migrate the config.)
My ACL's to allow some external access in to my servers are not working properly. Everything is getting dropped. When I run the Packet Tracer, it shows everything is dropped by the implicit rule - it's like the packets aren't matching my ACLs properly.
I'm guessing that my understanding of how the ACL's work on the different interfaces, and for different directions is somehow wrong, and I need to adjust how I am doing things, but I'm not sure what I am missing, or how I am wrong.
I am a Cisco-novice, and completely self-taught, so it is easy to believe that I am missing something obvious.
The internet is working fine outbound, and my Inside ACL's work properly.
I have static NAT with PAT routes setup to map the internal machines to their external addresses. (PAT because I use one external IP for services provided by different internal machines.)
My NAT entries look like this (with obfuscated IPs):
static (inside,outside) tcp 6.21.24.227 https TANSRVEXCH https netmask 255.255.255.255
(more entries just like this, but with different ports and hosts defined)
Then the ACLs looks like this:
access-list outside_access_in extended permit tcp any host TANSRVEXCH object-group EXCH_IN
(again, more entries just like this defined)
I've also tried it like this:
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN
On the PIX, within the ASDM it would be entered like the first case above, and from the command-line it would look like the second case above. I'm not sure which I am supposed to do, or if it even matters.
In either case, nothing in the TCP group "EXCH_IN" gets through. Everything is dropped by the implicit rule.
The configuration is almost identical to the config of the PIX that is presently working perfectly.
While I'm asking, does anyone have a link to a good explanation of how the inside, outside in/out ACL's work? I suspect that that is where I am going wrong, because I don't fully understand what in/out mean for the two interfaces.
Thanks!
My ACL's to allow some external access in to my servers are not working properly. Everything is getting dropped. When I run the Packet Tracer, it shows everything is dropped by the implicit rule - it's like the packets aren't matching my ACLs properly.
I'm guessing that my understanding of how the ACL's work on the different interfaces, and for different directions is somehow wrong, and I need to adjust how I am doing things, but I'm not sure what I am missing, or how I am wrong.
I am a Cisco-novice, and completely self-taught, so it is easy to believe that I am missing something obvious.
The internet is working fine outbound, and my Inside ACL's work properly.
I have static NAT with PAT routes setup to map the internal machines to their external addresses. (PAT because I use one external IP for services provided by different internal machines.)
My NAT entries look like this (with obfuscated IPs):
static (inside,outside) tcp 6.21.24.227 https TANSRVEXCH https netmask 255.255.255.255
(more entries just like this, but with different ports and hosts defined)
Then the ACLs looks like this:
access-list outside_access_in extended permit tcp any host TANSRVEXCH object-group EXCH_IN
(again, more entries just like this defined)
I've also tried it like this:
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN
On the PIX, within the ASDM it would be entered like the first case above, and from the command-line it would look like the second case above. I'm not sure which I am supposed to do, or if it even matters.
In either case, nothing in the TCP group "EXCH_IN" gets through. Everything is dropped by the implicit rule.
The configuration is almost identical to the config of the PIX that is presently working perfectly.
While I'm asking, does anyone have a link to a good explanation of how the inside, outside in/out ACL's work? I suspect that that is where I am going wrong, because I don't fully understand what in/out mean for the two interfaces.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, that is working, but with one odd twist that I don't fully understand.
I am using a different external IP than the outside interface, so your second comment was well-stated.
Here is what is odd; if I use the actual external IP that I want, it works perfectly. If I use the IP Address Object name, it doesn't. For example:
{
access-list outside_access_in extended permit tcp any host 6.21.24.227 object-group EXCH_IN
}
Works perfectly. However:
{
name 6.21.21.227 mail.[mydomain].com
...
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN
}
Does not.
Any idea why that would be? Am I not supposed to use Address Objects in ACL's? It sure makes the config more readable.
Thanks!
I am using a different external IP than the outside interface, so your second comment was well-stated.
Here is what is odd; if I use the actual external IP that I want, it works perfectly. If I use the IP Address Object name, it doesn't. For example:
{
access-list outside_access_in extended permit tcp any host 6.21.24.227 object-group EXCH_IN
}
Works perfectly. However:
{
name 6.21.21.227 mail.[mydomain].com
...
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN
}
Does not.
Any idea why that would be? Am I not supposed to use Address Objects in ACL's? It sure makes the config more readable.
Thanks!
You should be able to use names in your ACL's just fine. I use them all the time, with one slight difference than how you are using them. I never assign FQDN style names to IP addresses in the PIX or ASA configuration...I just use a single name, like "mail" or "webserver" or something generic like that. I'm wondering if the PIX is having a problem with the syntax of the names you are using.
Have you tried using something like this instead to see if it works?
name 6.21.21.227 mailserver
access-list outside_access_in extended permit tcp any host mailserver object-group EXCH_IN
Have you tried using something like this instead to see if it works?
name 6.21.21.227 mailserver
access-list outside_access_in extended permit tcp any host mailserver object-group EXCH_IN
ASKER
I discovered that probably as you were typing your message. I changed them to abreviated names, using underscores rather than periods, and it worked. Apparently it doesn't like the periods.
Thanks!
Thanks!
Good deal!
ASKER
I take it back!
It is still working, but I take back that it didn't like the periods.
After going through all of that, some of the ports in my groups were working, and others were not. Attempting to delete one ACL, I got a strange error that it didn't exist. (It did)
I ended up completely deleting all of my ACL's and groups, and re-creating them all. (I only have a half-dozen or so, so it didn't take long) After I did that, it all worked flawlessly. Just as a test, I renamed one of my external IP's to the FQDN including the periods, and then tested it. It took it with no problems.
I'm not sure what was tounge-twisted, but something wasn't happy, and it apparently had nothing to do with the periods.
It is still working, but I take back that it didn't like the periods.
After going through all of that, some of the ports in my groups were working, and others were not. Attempting to delete one ACL, I got a strange error that it didn't exist. (It did)
I ended up completely deleting all of my ACL's and groups, and re-creating them all. (I only have a half-dozen or so, so it didn't take long) After I did that, it all worked flawlessly. Just as a test, I renamed one of my external IP's to the FQDN including the periods, and then tested it. It took it with no problems.
I'm not sure what was tounge-twisted, but something wasn't happy, and it apparently had nothing to do with the periods.
That's good info to know...thnx for the update!
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN
try this:
access-list outside_access_in extended permit tcp any interface outside object-group EXCH_IN