tabiv
asked on
Disabled Rule Denying Traffic on Cisco ASA 5510
Hi all.
I have another question open that is related, but figured I would ask this separately. I have a ACL that is denying traffic between my DMZ and internal network. I've set up Rules that I think should allow this traffic through. I have also tried some different NATs to facilitate going from the lower security interface to a higher one (though I still am not sure if they are needed or not).
I have disabled the ACL (LAN_access_out) that is blocking this traffic, saved the changes, and done a clear xlate. The ACL is still denying traffic.
Below is from the Log Viewer:
4 Oct 20 2010 18:27:27 192.168.55.5 65348 192.168.7.10 53 Deny udp src DMZ:192.168.55.5/65239 dst LAN:192.168.7.10/53 by access-group "LAN_access_out" [0x0, 0x0]
Anyone know what's going on? I can happily post config info if needed.
Thanks!
I have another question open that is related, but figured I would ask this separately. I have a ACL that is denying traffic between my DMZ and internal network. I've set up Rules that I think should allow this traffic through. I have also tried some different NATs to facilitate going from the lower security interface to a higher one (though I still am not sure if they are needed or not).
I have disabled the ACL (LAN_access_out) that is blocking this traffic, saved the changes, and done a clear xlate. The ACL is still denying traffic.
Below is from the Log Viewer:
4 Oct 20 2010 18:27:27 192.168.55.5 65348 192.168.7.10 53 Deny udp src DMZ:192.168.55.5/65239 dst LAN:192.168.7.10/53 by access-group "LAN_access_out" [0x0, 0x0]
Anyone know what's going on? I can happily post config info if needed.
Thanks!
John Meggers
The config would help. Between ACLs and NAT, there are a number of ways traffic can be impeded.
ASKER
hehe yeah, I'll say. I though I knew this stuff pretty well before. But it's been a number of years and I am a bit stuck on this problem. :)
Below is the sanitized code. I grabbed this from the other post since I am at home right now and not logged into work. I've changed the config slightly, but the only real difference is the disabled LAN_access_out ACL.
ASA Version 8.3(2)
!
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 999.999.999.2 255.255.255.224
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.55.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network colo-0
subnet 172.16.0.0 255.255.255.0
object network colo-16
subnet 172.16.16.0 255.255.255.0
object network TBLAN
subnet 192.168.7.0 255.255.255.0
object network TBVPN
subnet 192.168.8.0 255.255.255.0
object network DMZ_lan
subnet 192.168.55.0 255.255.255.0
object network stage_dmz
host 192.168.55.5
object network stage_wan
host 999.999.999.5
object network TB_DC
host 192.168.7.10
object-group network colo
network-object object colo-0
network-object object colo-16
object-group network TBNETs
network-object object TBLAN
network-object object TBVPN
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DNS tcp-udp
port-object eq domain
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz object TB_DC
access-list DMZ_access_in extended permit ip object TB_DC object stage_dmz
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list DMZ_access_in extended permit object-group TCPUDP any any object-group DNS
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list LAN_access_in extended permit ip object TB_DC object stage_dmz
access-list LAN_access_in extended permit ip object stage_dmz object TB_DC
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit icmp any any
arp timeout 14400
nat (LAN,WAN) source static TBLAN TBLAN destination static colo colo
nat (any,any) source static any any destination static TBVPN TBVPN
nat (LAN,WAN) source dynamic TBLAN interface
!
object network obj_any
nat (management,WAN) dynamic interface
access-group WAN_access in interface WAN
access-group LAN_access_in in interface LAN
access-group LAN_access_out out interface LAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 999.999.999.1 1
timeout xlate 3:00:00
Below is the sanitized code. I grabbed this from the other post since I am at home right now and not logged into work. I've changed the config slightly, but the only real difference is the disabled LAN_access_out ACL.
ASA Version 8.3(2)
!
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 999.999.999.2 255.255.255.224
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.55.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network colo-0
subnet 172.16.0.0 255.255.255.0
object network colo-16
subnet 172.16.16.0 255.255.255.0
object network TBLAN
subnet 192.168.7.0 255.255.255.0
object network TBVPN
subnet 192.168.8.0 255.255.255.0
object network DMZ_lan
subnet 192.168.55.0 255.255.255.0
object network stage_dmz
host 192.168.55.5
object network stage_wan
host 999.999.999.5
object network TB_DC
host 192.168.7.10
object-group network colo
network-object object colo-0
network-object object colo-16
object-group network TBNETs
network-object object TBLAN
network-object object TBVPN
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DNS tcp-udp
port-object eq domain
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz object TB_DC
access-list DMZ_access_in extended permit ip object TB_DC object stage_dmz
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list DMZ_access_in extended permit object-group TCPUDP any any object-group DNS
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list LAN_access_in extended permit ip object TB_DC object stage_dmz
access-list LAN_access_in extended permit ip object stage_dmz object TB_DC
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit icmp any any
arp timeout 14400
nat (LAN,WAN) source static TBLAN TBLAN destination static colo colo
nat (any,any) source static any any destination static TBVPN TBVPN
nat (LAN,WAN) source dynamic TBLAN interface
!
object network obj_any
nat (management,WAN) dynamic interface
access-group WAN_access in interface WAN
access-group LAN_access_in in interface LAN
access-group LAN_access_out out interface LAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 999.999.999.1 1
timeout xlate 3:00:00
ASKER
anyone know what this problem is?
In general, some of your ACLs don't make sense, and I think this is the root of your problem. For example, your outside-in ACL uses some object groups, and part of what you're allowing in the outside interface is traffic sourced from your DMZ network (192.168.7.0/24). Which, of course, should never be coming in your outside interface.
So when we look at the error, it's referencing your LAN-out ACL, which says permit source from the DMZ to anything, and then we look at your DMZ-in ACL, which is permitting traffic from 192.168.55.0 to host 192.168.7.0 -- which is in the DMZ, and that's what the error appears to be referencing. I would work on cleaning up your ACLs and making sure sources and destinations make sense given the topology.
John
So when we look at the error, it's referencing your LAN-out ACL, which says permit source from the DMZ to anything, and then we look at your DMZ-in ACL, which is permitting traffic from 192.168.55.0 to host 192.168.7.0 -- which is in the DMZ, and that's what the error appears to be referencing. I would work on cleaning up your ACLs and making sure sources and destinations make sense given the topology.
John
ASKER
yeah, that is odd to see for the ACLs. I was adding a number of different things to see what I would get Hits on as it flowed through the ACLs.
This is currently what I have for ACLs:
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list LAN_access_in extended permit ip object stage_dmz object TBLAN
access-list LAN_access_in extended permit ip 192.168.7.0 255.255.255.0 any
I still cannot communicate from the DMZ to the Internal network and still getting access denied from the LAN_access_out. Should this work, or is there a problem with my ACLs above?
Thanks!
This is currently what I have for ACLs:
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list LAN_access_in extended permit ip object stage_dmz object TBLAN
access-list LAN_access_in extended permit ip 192.168.7.0 255.255.255.0 any
I still cannot communicate from the DMZ to the Internal network and still getting access denied from the LAN_access_out. Should this work, or is there a problem with my ACLs above?
Thanks!
ASKER
I forgot to disable the LAN_access_out rule while i was testing something else:
so this is my current ACL:
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any inactive
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list LAN_access_in extended permit ip object stage_dmz object TBLAN
access-list LAN_access_in extended permit ip 192.168.7.0 255.255.255.0 any
and the LAN_access_out rule is still the rule that is blocking.
so this is my current ACL:
access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any inactive
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list LAN_access_in extended permit ip object stage_dmz object TBLAN
access-list LAN_access_in extended permit ip 192.168.7.0 255.255.255.0 any
and the LAN_access_out rule is still the rule that is blocking.
Need some time to digest. I'll try to get back to this tonight.
-- John
-- John
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good point, and I'm not completely sure I would have noticed that. But you're right, you have a single-statement ACL which is inactive, which would mean the implicit deny would still be in effect. Good catch for whoever pointed it out.
ASKER
No other answer worked, I answered the question myself.