Cisco ASA Access List Question

sarahbobby
sarahbobby used Ask the Experts™
on
Please forgive my ignorance on this, but I'm still trying to get my arms around ASA access lists...

What I'm attempting to do (as you can see by the configs) is restrict access from my DC site (10.10.50.x) to my HOUSTON site (192.168.40.x) to only RSYNC, SSH, HTTP, and ICMP. The tunnel is up and I can access Houston from DC over those ports. However, when I open up other ports as a test on the Houston server (telnet, ftp, RDP, etc) I can get to those from DC, too. I definitely do not want that. I thought I had the access lists configured properly, but clearly I'm missing something.

So the only thing I'd like is for DC to Rsync, ssh, ping, and web to Houston. Nothing else.

Any insight would be appreciated.
DC-conf.txt
HOUSTON.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:
I took a quick look.   Each config is missing the access-group command which applies the access-list to an interface.  

Are you sure the VPN tunnel is up, because neither site is using a NONAT command either.    

Have a look at these for a comparison.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml

Author

Commented:
I added:

access-group acl_inside in interface inside

to the HOUSTON config. But I can still get to unwanted protocols from DC to Houston.

Yes. Tunnels are up. VPN Status indicates the proper number of IPSEC and VPN tunnels.

Author

Commented:
correction:

access-group inside_acl in interface inside
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2010

Commented:
In houston, your ACL looks like:
access-list inside_acl extended permit tcp 192.168.40.0 255.255.255.0 10.10.50.0 255.255.255.0 object-group DM_INLINE_TCP_1
access-list inside_acl extended permit icmp 192.168.40.0 255.255.255.0 10.10.50.0 255.255.255.0 echo-reply
access-list inside_acl extended deny ip any 10.10.50.0 255.255.255.0
access-list inside_acl extended permit ip any any

ACLs are evaluated from top to bottom.   At the very bottom you have an "allow everything".    You'll need to command that out.  

Also, you have the ACL reading in interface inside which means only the traffic destined inbound to the ASA is evaluated.  


Let me offer another suggestion.   I usually setup a VPN wide open and then apply a VPN filter to the VPN tunnel to limit traffic.   That way, adjusting the permitted traffic is limited to just editing the VPN filter acl, then restarting the tunnel.  
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Pay attention to how the VPN filter uses the ACLs, its a little different than how it gets applied to the interface.  

Author

Commented:
The VPN filter idea is definitely a good one. I may monkey with that in our test lab as I'm reluctant to test on our production firewalls.

I removed the 'permit ip any any' rule and added an icmp rule for another subnet that needs access to houston (hub and spoke).

However, I can still get to HOUSTON from DC via unwanted protocols (telnet, rdp) even though (I thought) I'm restricting access via ssh and rysnc. Clearly I'm missing something as I'd really only like to limit access to rsync, ssh, and icmp.

Should I be modifying something on the DC side?

New access lists below:

access-list 100 extended permit ip 192.168.70.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list 100 extended permit ip 192.168.70.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list inside_acl extended permit tcp 192.168.70.0 255.255.255.0 10.10.50.0 255.255.255.0 object-group PROTOCOL
access-list inside_acl extended permit icmp 192.168.70.0 255.255.255.0 10.10.50.0 255.255.255.0 echo-reply
access-list inside_acl extended deny ip any 10.10.50.0 255.255.255.0
access-list inside_acl extended permit icmp 192.168.70.0 255.255.255.0 192.168.60.0 255.255.255.0
Top Expert 2010
Commented:
In DC, the source IPs would be 10.10.50.0,  so you need to reverse the entries on your ACEs  

You also need to apply the access list to the inside interface for it to catch using an access-group.  

Author

Commented:
Gotcha.

So essentially I was missing the 'access-group' config, which interfered with ACEs being applied.

Should I add some ACEs on DC similar to the ones I have in Houston in order to facilitate the restrictions I desire? You indicated that I'd have to reverse ACE entries on DC, but I thought perhaps that would interfere with general tunnel access.
Top Expert 2010

Commented:
Remember that ACL's are applied to the interfaces using Access Group.   You can have 1 ACL on any 1 interface in 1 direction (in or out) at a time.

If you need references to work from....   here's a whole bunch of them.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial