Solved

Inbound Access lists stopped working

Posted on 2008-10-20
5
906 Views
Last Modified: 2008-10-26
I recently added the "nat (inside) 0 access-list nonat" statement to the asa 5510 so that NAT access lists could specify what traffic could be bypassed by NAT. I recently had trouble accessing remote hosts on the internal lan with the remote access vpn,  and thought this was the issue. Actually, I added the sysop connection permit-ipsec statement so all decrypted packets could traverse the asa into the internal lan subnets. This solved the issue. However, inbound email stopped working from the mail servers, and webpages and outlook webaccess are no longer accesible from the internet.

A "show nat" in the CLI shows some of the static mappings with "untranslate hits", while other static mappings show "translate hits"
Also seen in this command:   match ip inside any inside any
dynamic translation to pool 102 (No matching global)
there is a matching global statement. This config has worked well without issue for a quite few years in other asa's and a PIX 501 and 515

The config , especially the static nat mappings of the internal servers and inbound access lists for the various tcp ports remains unchanged. NSlookups on the outside of the network give dns errors. It seems like the asa is not processing the inbound access-lists anymore. I removed the "nonat statement", and for a minute or so some inbound mail flow started, then stopped.I removed the nat statments, I rebooted the asa a few times, readded them but the inbound access lists do not seem to work.

Any suggestions would be appreciated

Here is the current config:

ASA5510# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5510
domain-name default.domain.invalid
enable password 0VHZzUN3Y8hDcg1h encrypted
names
name 192.168.4.0 InsideNetwork description 192.168.4.0 Network
name 192.168.3.0 InsideSubnet description 192.168.3.0 subnet
name ******* VPNOutside description VPN Public IP
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address **********255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/3
 shutdown
 nameif dmz
 security-level 50
 ip address 192.168.5.2 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit ip any any
access-list acl_in extended permit udp any any eq isakmp
access-list acl_in extended permit udp any any eq 10000
access-list acl_in extended permit tcp any any eq 10000
access-list acl_in extended permit udp any any eq 1723
access-list acl_in extended permit esp any any
access-list acl_in extended permit udp any any eq 1701
access-list acl_in extended permit tcp any host 208.216.116.27 eq smtp
access-list acl_in extended permit tcp any host *** eq ssh
access-list acl_in extended permit tcp any host8 **** eq www
access-list acl_in extended permit tcp any host **** eq domain
access-list acl_in extended permit udp any host***** eq domain
access-list acl_in extended permit udp any host ***** eq ntp
access-list acl_in extended permit gre any any
access-list acl_in extended permit udp any any eq 4500
access-list acl_in extended permit icmp any any
access-list acl_out extended deny tcp any any eq 445
access-list acl_out extended permit udp any any eq isakmp
access-list acl_out extended permit udp any any eq 4500
access-list acl_out extended permit udp any any eq 10000
access-list acl_out extended permit tcp any any eq 10000
access-list acl_out extended permit udp any any eq 1723
access-list acl_out extended permit tcp any host ***eq smtp
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit tcp any host **** eq www
access-list acl_out extended permit tcp any host **** eq smtp
access-list acl_out extended permit tcp any host **** eq www
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit esp any any
access-list acl_out extended permit udp any any eq 1701
access-list acl_out extended permit esp host **** any
access-list acl_out extended permit udp host ** eq 1701 any
access-list acl_out extended permit udp host *** eq isakmp any
access-list acl_out extended permit tcp any host *** eq smtp
access-list acl_out extended permit tcp any host &**** eq www
access-list acl_out extended permit tcp any host *** eq https
access-list acl_out extended permit tcp any host *** eq 3389
access-list acl_out extended permit tcp any host **** eq 123
access-list acl_out extended permit udp any host ****eq domain
access-list acl_out extended permit udp any host**** eq ntp
access-list acl_out extended permit tcp any host**** eq www
access-list acl_out extended permit tcp any host **** eq smtp
access-list acl_out extended permit tcp any host **** eq domain
access-list acl_out extended permit tcp any host**** eq www
access-list acl_out extended permit tcp any host ***** eq ssh
access-list acl_out extended permit tcp any host***** eq www
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any host 192.168.3.3 eq smtp
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq ssh
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq telnet
access-list acl_out extended permit ip any InsideNetwork 255.255.255.0
access-list acl_out extended permit tcp InsideNetwork 255.255.255.0 host 192.168
.1.1 eq telnet
access-list inside_nat0_outbound extended permit ip InsideNetwork 255.255.255.0
any
access-list inside_nat_0_outbound extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
 host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 host 192.168.3.85
access-list outside_1_cryptomap extended permit ip InsideNetwork 255.255.255.0 1
92.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip InsideSubnet 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list nonat extended permit ip any InsideSubnet 255.255.255.0
access-list nonat extended permit ip any InsideNetwork 255.255.255.0
access-list nonat extended permit ip any 192.168.5.0 255.255.255.0
access-list nonat extended permit ip any 192.168.99.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool NewinfosysPool 192.168.99.5-192.168.99.10 mask 255.255.255.0
ip local pool BackupIPPool 192.168.100.5-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 102 interface
nat (inside) 0 access-list nonat
nat (inside) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) *********** 192.168.3.20 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) ******* 192.168.3.35 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) ***** 192.168.3.33 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside)********** 192.168.3.16 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) ************* 192.168.3.3 netmask 255.255.255.255 tcp 1
000 100 udp 1000
static (inside,outside) ********* 192.168.3.17 netmask 255.255.255.255 tcp
1000 100 udp 1000
route outside 0.0.0.0 0.0.0.0 ********* 255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.3.1 1
route inside 192.168.99.0 255.255.255.0 192.168.4.1 1
route inside 192.168.100.0 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.1.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner value You are connected to the Newfoundland Information Systems Private
Network.  Unauthorized use is prohibited.
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value BackupIPPool NewinfosysPool
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not
 been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy ipsecgroup internal
group-policy ipsecgroup attributes
 vpn-access-hours none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 ipsec-udp enable
 ipsec-udp-port 10000
 default-domain value Newinfosys.com
 address-pools value BackupIPPool NewinfosysPool
username stassijoseph password /qBIjej5vwKt0K13 encrypted
username stassijoseph attributes
 vpn-group-policy ipsecgroup
username bignewf password zF/jxLVcSJJYs2oW encrypted
username bignewf attributes
 vpn-group-policy ipsecgroup
username maddog password rH928mPh3aV8PqyI encrypted privilege 0
username maddog attributes
 vpn-group-policy ipsecgroup
http server enable
http InsideNetwork 255.255.255.0 management
http InsideSubnet 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 management
http InsideSubnet 255.255.255.0 inside
http InsideNetwork 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) BackupIPPool
 address-pool (inside) NewinfosysPool
 dhcp-server 192.168.5.2
 strip-realm
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group ipsecgroup type ipsec-ra
tunnel-group ipsecgroup general-attributes
 address-pool (inside) BackupIPPool
 address-pool (inside) NewinfosysPool
 address-pool BackupIPPool
 address-pool NewinfosysPool
 default-group-policy ipsecgroup
 strip-group
tunnel-group ipsecgroup ipsec-attributes
 pre-shared-key *
tunnel-group ipsecgroup ppp-attributes
 authentication ms-chap-v2
tunnel-group newinfosys type ipsec-ra
tunnel-group newinfosys general-attributes
 address-pool (inside) BackupIPPool
 address-pool (inside) NewinfosysPool
 address-pool BackupIPPool
 address-pool NewinfosysPool
 default-group-policy ipsecgroup
tunnel-group newinfosys ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet InsideSubnet 255.255.255.0 inside
telnet InsideNetwork 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet**********inside
telnet 192.168.1.0 255.255.255.0 management
telnet InsideSubnet 255.255.255.0 management
telnet InsideNetwork 255.255.255.0 management
telnet *************management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh InsideSubnet 255.255.255.0 inside
ssh InsideNetwork 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh InsideSubnet 255.255.255.0 management
ssh InsideNetwork 255.255.255.0 management
ssh timeout 5
console timeout 20
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd option 6 ip 199.171.27.85 199.171.27.2 interface inside
!
dhcpd option 3 ip 192.168.5.1 interface dmz
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0524806cd8f58c1d5a5bad10598948db
: end
0
Comment
Question by:bignewf
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:inrouted
ID: 22764164
This may seem like a pain, and if so, please feel free to disregard this post.  You stated that you

"However, inbound email stopped working from the mail servers, and webpages and outlook webaccess are no longer accesible from the internet. "

So I assume you have a need for ingress access to mail, web servers etc from the Internet.  While also needing access to some of these resources via a client VPN, IPSEC tunnel and/or other routed networks using the internal ip addressing scheme?

If so, you probably need to make sure you adhere to the processing order that the ASA/PIX have.  The order NATs rules are processed (regardless of order in the config)

1. Nat Exemption: eg: nat (inside) 0 0 0
2. Static NAT/PAT for regular and policies eg: static (inside,outside) blah blah
3. Policy Dynamic NAT..for example nat access lists which you talked about using above
4. Regular Dynamic NAT with best match.

My surmise, without going through the whole config (which I had to restrain myself from re-ordering and eliminating half of the lines that are doing you nothing except opening up holes.) is that your nats are matching out of order, and therefore bypassing your access-lists on the ingress.  You should try and make use of the packet-trace utility to see what is happening to packets from different interfaces going to different destinations.

Hope this gets you started.

-route.
0
 
LVL 15

Author Comment

by:bignewf
ID: 22766264
thanks.  I will try this. It all seemed to start once I added the nat exempt rules. Also,  can I get rid of all the access-lists  that allow traffic for ports 4500 and 10000?  Cisco recommended placing these as I have another asa behind this firewall which does vpn?


0
 
LVL 2

Assisted Solution

by:inrouted
inrouted earned 500 total points
ID: 22769445
access-list acl_in extended permit ip any any

Given that you have the above ACE as entry number 2, i seriously doubt that the rest of your access-list matters.  Execute a sh access-list acl_in and look at the hitcounts for the access-list.  My bet is everything below that line is probably 0.
0
 
LVL 15

Author Comment

by:bignewf
ID: 22770800
could you clarify this for me? Are there access-lists you recommend removing?
I will run this diagnostics as you suggested. The problem started after adding the nat0 access-lists


thanks
0
 
LVL 15

Accepted Solution

by:
bignewf earned 0 total points
ID: 22773053
thanks for your help. I fixed the issue.  After checking the gui (which I never use)
I found no inbound access-lists at all for the tcp services such as mail and https!
Even though I had all the correct inbound ACL's in the CLI, they were missing in the ASDM. I simply added the inbound ACL's in the ASDM and it fixed everything. I am cleaning up the configuration anyway, as you suggested, with unecessary ports closed to increase security. I will always check the gui and compare with entries in the CLI from now on. This is indeed strange! The configuration was from a PIX which worked for several years without issues such as this, so this puzzled me. I will award you the full point value anyway, as I appreciate the time you spent looking at that messy config.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now