Disabled Rule Denying Traffic on Cisco ASA 5510

tabiv
tabiv used Ask the Experts™
on
Hi all.

I have another question open that is related, but figured I would ask this separately. I have a ACL that is denying traffic between my DMZ and internal network. I've set up Rules that I think should allow this traffic through. I have also tried some different NATs to facilitate going from the lower security interface to a higher one (though I still am not sure if they are needed or not).

I have disabled the ACL (LAN_access_out) that is blocking this traffic, saved the changes, and done a clear xlate. The ACL is still denying traffic.

Below is from the Log Viewer:

4      Oct 20 2010      18:27:27            192.168.55.5      65348      192.168.7.10      53      Deny udp src DMZ:192.168.55.5/65239 dst LAN:192.168.7.10/53 by access-group "LAN_access_out" [0x0, 0x0]

Anyone know what's going on? I can happily post config info if needed.

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
John MeggersNetwork Architect

Commented:
The config would help.  Between ACLs and NAT, there are a number of ways traffic can be impeded.

Author

Commented:
hehe yeah, I'll say. I though I knew this stuff pretty well before. But it's been a number of years and I am a bit stuck on this problem. :)

Below is the sanitized code. I grabbed this from the other post since I am at home right now and not logged into work. I've changed the config slightly, but the only real difference is the disabled LAN_access_out ACL.

ASA Version 8.3(2)
!
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 999.999.999.2 255.255.255.224
!
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.55.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network colo-0
 subnet 172.16.0.0 255.255.255.0
object network colo-16
 subnet 172.16.16.0 255.255.255.0
object network TBLAN
 subnet 192.168.7.0 255.255.255.0
object network TBVPN
 subnet 192.168.8.0 255.255.255.0
object network DMZ_lan
 subnet 192.168.55.0 255.255.255.0
object network stage_dmz
 host 192.168.55.5
object network stage_wan
 host 999.999.999.5
object network TB_DC
 host 192.168.7.10
object-group network colo
 network-object object colo-0
 network-object object colo-16
object-group network TBNETs
 network-object object TBLAN
 network-object object TBVPN
object-group service DM_INLINE_TCP_0 tcp
 port-object eq www
 port-object eq https
object-group service DNS tcp-udp
 port-object eq domain
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo

access-list DMZ_access_in extended permit ip object stage_dmz object TB_DC
access-list DMZ_access_in extended permit ip object TB_DC object stage_dmz
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list DMZ_access_in extended permit object-group TCPUDP any any object-group DNS
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list LAN_access_in extended permit ip object TB_DC object stage_dmz
access-list LAN_access_in extended permit ip object stage_dmz object TB_DC
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit icmp any any

arp timeout 14400
nat (LAN,WAN) source static TBLAN TBLAN destination static colo colo
nat (any,any) source static any any destination static TBVPN TBVPN
nat (LAN,WAN) source dynamic TBLAN interface
!
object network obj_any
 nat (management,WAN) dynamic interface
access-group WAN_access in interface WAN
access-group LAN_access_in in interface LAN
access-group LAN_access_out out interface LAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 999.999.999.1 1
timeout xlate 3:00:00

Author

Commented:
anyone know what this problem is?
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

John MeggersNetwork Architect

Commented:
In general, some of your ACLs don't make sense, and I think this is the root of your problem.  For example, your outside-in ACL uses some object groups, and part of what you're allowing in the outside interface is traffic sourced from your DMZ network (192.168.7.0/24).  Which, of course, should never be coming in your outside interface.

So when we look at the error, it's referencing your LAN-out ACL, which says permit source from the DMZ to anything, and then we look at your DMZ-in ACL, which is permitting traffic from 192.168.55.0 to host 192.168.7.0 -- which is in the DMZ, and that's what the error appears to be referencing. I would work on cleaning up your ACLs and making sure sources and destinations make sense given the topology.

John

Author

Commented:
yeah, that is odd to see for the ACLs. I was adding a number of different things to see what I would get Hits on as it flowed through the ACLs.

This is currently what I have for ACLs:

access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list LAN_access_in extended permit ip object stage_dmz object TBLAN
access-list LAN_access_in extended permit ip 192.168.7.0 255.255.255.0 any

I still cannot communicate from the DMZ to the Internal network and still getting access denied from the LAN_access_out. Should this work, or is there a problem with my ACLs above?

Thanks!

Author

Commented:
I forgot to disable the LAN_access_out rule while i was testing something else:

so this is my current ACL:

access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any inactive
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list LAN_access_in extended permit ip object stage_dmz object TBLAN
access-list LAN_access_in extended permit ip 192.168.7.0 255.255.255.0 any

and the LAN_access_out rule is still the rule that is blocking.
John MeggersNetwork Architect

Commented:
Need some time to digest.  I'll try to get back to this tonight.

-- John
Commented:
I got the answer from posting on a different Forum.

The ACL's are OK. Well, they're ugly and need to be cleaned up (and locked down) but they work. :)

The Disabled ACL was in an Access Group and each individual Access Group has a implicit Deny at the end of it (in addition to the Global Deny at the end of all of the Access Rules).

So what I needed to do was either delete the related Access Group completely (instead of disabling the ACL) or add another ACL to permit DMZ traffic.

Thank you for your help, John.
John MeggersNetwork Architect

Commented:
Good point, and I'm not completely sure I would have noticed that.  But you're right, you have a single-statement ACL which is inactive, which would mean the implicit deny would still be in effect.  Good catch for whoever pointed it out.

Author

Commented:
No other answer worked, I answered the question myself.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial