dbeutler
asked on
Cisco ASA access-list not denying traffic
We recently had a situation where an access-list to deny traffic was not taking effect. Background: A SIP VoIP server sits in our "DMZ-2". This server handles SIP registrations and calls (it is a registrar and proxy). Recently, the server was rebooted. Upon rebooting the flood of SIP registrations and invites was causing the server CPU to spike to 100% and reject all incomming calls. In an effort mitigate the storm of traffic, we decided to block traffic on the firewall. We added a deny statement at the top of the access list to deny all traffic coming into the outside interface. We applied the acl and cleared the xlate and traffic was still getting through. At this point we figured that the SIP server could be sending back SIP responses from the DMZ-2 and therefore opening pin-holes through the firewall which would ignore the access-list blocking all inbound traffic. In order to stop all traffic, we setup an additional access list to block all incoming traffic on the DMZ-2 interface and again cleared the xlate. Traffic was still getting through. In order to stop the traffic, we had to disable the DMZ-2 interface. When we re-enabled the interface, the deny ACL's were effective and we were able to slowly open the VoIP server to SIP traffic one group of subnets at a time.
The overarching question is why the deny statements would not have been effective?
Below you will find the details on our current configuration and versions (with some elements removed to protect the innocent):
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.2(1)
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(2)
!
hostname LNDCBLFW01
names
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 123.13.84.146 255.255.255.240 standby 123.13.84.147
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.54
vlan 54
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
interface GigabitEthernet0/1.57
vlan 57
nameif crossConnect
security-level 25
ip address 10.250.1.1 255.255.255.240 standby 10.250.1.2
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.56
vlan 56
nameif DMZ
security-level 50
ip address 123.13.83.1 255.255.255.192 standby 123.13.83.2
!
interface GigabitEthernet0/2.60
vlan 60
nameif DMZ-2
security-level 50
ip address 123.13.8.1 255.255.255.128 standby 123.13.8.2
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
object-group service Phone
service-object udp range 1024 65535
object-group service UDP-Phone udp
port-object range 1024 65535
object-group service Phones udp
group-object UDP-Phone
object-group service UDP udp
group-object UDP-Phone
object-group network softswitchServers
network-object host 123.13.83.8
network-object host 123.13.83.54
object-group network NatpassGroup
network-object host 123.13.83.11
network-object host 123.13.83.7
object-group network NextoneServers
network-object host 123.13.83.42
network-object host 123.13.83.43
network-object host 123.13.83.44
network-object host 123.13.83.45
network-object host 123.13.83.46
network-object host 123.13.83.48
network-object host 123.13.83.49
network-object host 123.13.83.50
network-object host 123.13.83.51
network-object host 123.13.83.41
object-group network WebServers
network-object host 123.13.83.10
network-object host 123.13.83.13
network-object host 123.13.83.14
network-object host 123.13.83.17
network-object host 123.13.83.18
network-object host 123.13.83.24
network-object host 123.13.83.25
network-object host 123.13.83.26
network-object host 123.13.83.27
network-object host 123.13.83.28
network-object host 123.13.83.29
network-object host 123.13.83.30
network-object host 123.13.83.31
network-object host 123.13.83.5
network-object host 123.13.83.6
network-object host 123.13.83.9
network-object host 123.13.83.19
object-group service WebServices tcp
description Port List for Access to Web Server
port-object eq 1701
port-object eq 8000
port-object eq 8080
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq 490
port-object eq 81
port-object eq 7701
port-object eq 1706
object-group network AcmePacket-Servers
network-object host 123.13.8.10
network-object host 123.13.8.11
network-object host 123.13.8.14
network-object host 123.13.8.15
network-object host 123.13.8.16
network-object host 123.13.8.17
network-object host 123.13.8.18
network-object host 123.13.8.19
network-object host 123.13.8.8
network-object host 123.13.8.6
network-object host 123.13.8.20
network-object host 123.13.8.21
object-group network minsana
network-object 172.31.67.0 255.255.255.192
object-group network DM_INLINE_NETWORK_1
network-object host 123.13.8.10
network-object host 123.13.8.11
object-group network MediaSinkServers
network-object host 123.13.8.50
object-group network minsana1
description minsana Plant 1
network-object 172.31.96.192 255.255.255.192
object-group network DM_INLINE_NETWORK_2
network-object host 123.13.8.10
network-object host 123.13.8.11
object-group network minsanaPlant1
network-object 172.31.96.192 255.255.255.192
object-group network Viarktek
description Viarktek Direct Access
network-object host 190.8.42.18
network-object host 190.8.42.21
network-object host 190.8.42.22
object-group network MediaServersGroup
description All of the Media Servers in Production
network-object host 123.13.83.54
network-object host 123.13.83.55
object-group network Beta-AcmePacket-Servers
description AcmePacket Beta Addresses
network-object host 123.13.8.7
network-object host 123.13.8.9
object-group network DM_INLINE_NETWORK_10
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_6
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_7
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_8
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_9
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group service SIP5060and5065 udp
port-object eq 5065
port-object eq sip
object-group network DM_INLINE_NETWORK_21
network-object host 123.13.83.48
network-object host 123.13.83.6
network-object host 123.13.83.49
network-object host 123.13.83.13
object-group network SIPProviders
network-object host 72.166.217.25
network-object host 148.244.146.137
network-object host 201.151.64.67
network-object host 67.16.101.76
network-object host 208.85.184.40
network-object host 208.85.184.42
network-object host 148.244.145.3
network-object host 200.76.5.141
network-object host 81.201.84.195
network-object host 209.130.223.41
network-object host 67.16.102.60
network-object host 65.243.172.245
network-object host 65.211.120.237
network-object host 65.217.40.210
network-object host 63.77.76.248
network-object host 66.62.60.101
network-object host 201.130.65.44
network-object host 174.133.4.74
network-object host 64.136.174.30
network-object host 204.0.14.7
network-object host 66.62.60.120
network-object host 216.82.224.202
network-object host 216.82.225.202
object-group network SIPCustomers
network-object 1.0.0.0 255.0.0.0
network-object 2.0.0.0 255.0.0.0
network-object 3.0.0.0 255.0.0.0
network-object 4.0.0.0 255.0.0.0
network-object 5.0.0.0 255.0.0.0
network-object 6.0.0.0 255.0.0.0
network-object 7.0.0.0 255.0.0.0
network-object 8.0.0.0 255.0.0.0
network-object 9.0.0.0 255.0.0.0
network-object 10.0.0.0 255.0.0.0
network-object 11.0.0.0 255.0.0.0
network-object 12.0.0.0 255.0.0.0
network-object 13.0.0.0 255.0.0.0
network-object 14.0.0.0 255.0.0.0
network-object 15.0.0.0 255.0.0.0
network-object 16.0.0.0 255.0.0.0
network-object 17.0.0.0 255.0.0.0
network-object 18.0.0.0 255.0.0.0
network-object 19.0.0.0 255.0.0.0
network-object 20.0.0.0 255.0.0.0
network-object 21.0.0.0 255.0.0.0
network-object 22.0.0.0 255.0.0.0
network-object 23.0.0.0 255.0.0.0
network-object 24.0.0.0 255.0.0.0
network-object 25.0.0.0 255.0.0.0
network-object 26.0.0.0 255.0.0.0
network-object 27.0.0.0 255.0.0.0
network-object 28.0.0.0 255.0.0.0
network-object 29.0.0.0 255.0.0.0
network-object 30.0.0.0 255.0.0.0
network-object 31.0.0.0 255.0.0.0
network-object 32.0.0.0 255.0.0.0
network-object 33.0.0.0 255.0.0.0
network-object 34.0.0.0 255.0.0.0
network-object 35.0.0.0 255.0.0.0
network-object 36.0.0.0 255.0.0.0
network-object 37.0.0.0 255.0.0.0
network-object 38.0.0.0 255.0.0.0
network-object 39.0.0.0 255.0.0.0
network-object 40.0.0.0 255.0.0.0
network-object 51.0.0.0 255.0.0.0
network-object 52.0.0.0 255.0.0.0
network-object 53.0.0.0 255.0.0.0
network-object 54.0.0.0 255.0.0.0
network-object 55.0.0.0 255.0.0.0
network-object 56.0.0.0 255.0.0.0
network-object 57.0.0.0 255.0.0.0
network-object 58.0.0.0 255.0.0.0
network-object 59.0.0.0 255.0.0.0
network-object 60.0.0.0 255.0.0.0
network-object 61.0.0.0 255.0.0.0
network-object 62.0.0.0 255.0.0.0
network-object 63.0.0.0 255.0.0.0
network-object 64.0.0.0 255.0.0.0
network-object 65.0.0.0 255.0.0.0
network-object 66.0.0.0 255.0.0.0
network-object 67.0.0.0 255.0.0.0
network-object 68.0.0.0 255.0.0.0
network-object 69.0.0.0 255.0.0.0
network-object 70.0.0.0 255.0.0.0
network-object 71.0.0.0 255.0.0.0
network-object 72.0.0.0 255.0.0.0
network-object 73.0.0.0 255.0.0.0
network-object 74.0.0.0 255.0.0.0
network-object 75.0.0.0 255.0.0.0
network-object 76.0.0.0 255.0.0.0
network-object 77.0.0.0 255.0.0.0
network-object 78.0.0.0 255.0.0.0
network-object 79.0.0.0 255.0.0.0
network-object 80.0.0.0 255.0.0.0
network-object 81.0.0.0 255.0.0.0
network-object 82.0.0.0 255.0.0.0
network-object 83.0.0.0 255.0.0.0
network-object 84.0.0.0 255.0.0.0
network-object 85.0.0.0 255.0.0.0
network-object 86.0.0.0 255.0.0.0
network-object 87.0.0.0 255.0.0.0
network-object 88.0.0.0 255.0.0.0
network-object 89.0.0.0 255.0.0.0
network-object 90.0.0.0 255.0.0.0
network-object 91.0.0.0 255.0.0.0
network-object 92.0.0.0 255.0.0.0
network-object 93.0.0.0 255.0.0.0
network-object 94.0.0.0 255.0.0.0
network-object 95.0.0.0 255.0.0.0
network-object 96.0.0.0 255.0.0.0
network-object 97.0.0.0 255.0.0.0
network-object 98.0.0.0 255.0.0.0
network-object 99.0.0.0 255.0.0.0
network-object 100.0.0.0 255.0.0.0
network-object 101.0.0.0 255.0.0.0
network-object 102.0.0.0 255.0.0.0
network-object 103.0.0.0 255.0.0.0
network-object 104.0.0.0 255.0.0.0
network-object 105.0.0.0 255.0.0.0
network-object 106.0.0.0 255.0.0.0
network-object 107.0.0.0 255.0.0.0
network-object 108.0.0.0 255.0.0.0
network-object 109.0.0.0 255.0.0.0
network-object 110.0.0.0 255.0.0.0
network-object 111.0.0.0 255.0.0.0
network-object 112.0.0.0 255.0.0.0
network-object 113.0.0.0 255.0.0.0
network-object 114.0.0.0 255.0.0.0
network-object 115.0.0.0 255.0.0.0
network-object 116.0.0.0 255.0.0.0
network-object 117.0.0.0 255.0.0.0
network-object 118.0.0.0 255.0.0.0
network-object 119.0.0.0 255.0.0.0
network-object 120.0.0.0 255.0.0.0
network-object 121.0.0.0 255.0.0.0
network-object 122.0.0.0 255.0.0.0
network-object 123.0.0.0 255.0.0.0
network-object 124.0.0.0 255.0.0.0
network-object 125.0.0.0 255.0.0.0
network-object 126.0.0.0 255.0.0.0
network-object 127.0.0.0 255.0.0.0
network-object 128.0.0.0 255.0.0.0
network-object 129.0.0.0 255.0.0.0
network-object 130.0.0.0 255.0.0.0
network-object 131.0.0.0 255.0.0.0
network-object 132.0.0.0 255.0.0.0
network-object 133.0.0.0 255.0.0.0
network-object 134.0.0.0 255.0.0.0
network-object 135.0.0.0 255.0.0.0
network-object 136.0.0.0 255.0.0.0
network-object 137.0.0.0 255.0.0.0
network-object 138.0.0.0 255.0.0.0
network-object 139.0.0.0 255.0.0.0
network-object 140.0.0.0 255.0.0.0
network-object 141.0.0.0 255.0.0.0
network-object 142.0.0.0 255.0.0.0
network-object 143.0.0.0 255.0.0.0
network-object 144.0.0.0 255.0.0.0
network-object 145.0.0.0 255.0.0.0
network-object 146.0.0.0 255.0.0.0
network-object 147.0.0.0 255.0.0.0
network-object 148.0.0.0 255.0.0.0
network-object 149.0.0.0 255.0.0.0
network-object 150.0.0.0 255.0.0.0
network-object 151.0.0.0 255.0.0.0
network-object 152.0.0.0 255.0.0.0
network-object 153.0.0.0 255.0.0.0
network-object 154.0.0.0 255.0.0.0
network-object 155.0.0.0 255.0.0.0
network-object 156.0.0.0 255.0.0.0
network-object 157.0.0.0 255.0.0.0
network-object 158.0.0.0 255.0.0.0
network-object 159.0.0.0 255.0.0.0
network-object 160.0.0.0 255.0.0.0
network-object 161.0.0.0 255.0.0.0
network-object 162.0.0.0 255.0.0.0
network-object 163.0.0.0 255.0.0.0
network-object 164.0.0.0 255.0.0.0
network-object 165.0.0.0 255.0.0.0
network-object 166.0.0.0 255.0.0.0
network-object 167.0.0.0 255.0.0.0
network-object 168.0.0.0 255.0.0.0
network-object 169.0.0.0 255.0.0.0
network-object 170.0.0.0 255.0.0.0
network-object 171.0.0.0 255.0.0.0
network-object 172.0.0.0 255.0.0.0
network-object 173.0.0.0 255.0.0.0
network-object 174.0.0.0 255.0.0.0
network-object 175.0.0.0 255.0.0.0
network-object 176.0.0.0 255.0.0.0
network-object 177.0.0.0 255.0.0.0
network-object 178.0.0.0 255.0.0.0
network-object 179.0.0.0 255.0.0.0
network-object 180.0.0.0 255.0.0.0
network-object 181.0.0.0 255.0.0.0
network-object 182.0.0.0 255.0.0.0
network-object 183.0.0.0 255.0.0.0
network-object 184.0.0.0 255.0.0.0
network-object 185.0.0.0 255.0.0.0
network-object 186.0.0.0 255.0.0.0
network-object 187.0.0.0 255.0.0.0
network-object 188.0.0.0 255.0.0.0
network-object 189.0.0.0 255.0.0.0
network-object 190.0.0.0 255.0.0.0
network-object 191.0.0.0 255.0.0.0
network-object 192.0.0.0 255.0.0.0
network-object 193.0.0.0 255.0.0.0
network-object 194.0.0.0 255.0.0.0
network-object 195.0.0.0 255.0.0.0
network-object 196.0.0.0 255.0.0.0
network-object 197.0.0.0 255.0.0.0
network-object 198.0.0.0 255.0.0.0
network-object 199.0.0.0 255.0.0.0
network-object 200.0.0.0 255.0.0.0
network-object 201.0.0.0 255.0.0.0
network-object 202.0.0.0 255.0.0.0
network-object 203.0.0.0 255.0.0.0
network-object 204.0.0.0 255.0.0.0
network-object 205.0.0.0 255.0.0.0
network-object 206.0.0.0 255.0.0.0
network-object 207.0.0.0 255.0.0.0
network-object 208.0.0.0 255.0.0.0
network-object 209.0.0.0 255.0.0.0
network-object 210.0.0.0 255.0.0.0
network-object 211.0.0.0 255.0.0.0
network-object 212.0.0.0 255.0.0.0
network-object 213.0.0.0 255.0.0.0
network-object 214.0.0.0 255.0.0.0
network-object 215.0.0.0 255.0.0.0
network-object 216.0.0.0 255.0.0.0
network-object 217.0.0.0 255.0.0.0
network-object 218.0.0.0 255.0.0.0
network-object 219.0.0.0 255.0.0.0
network-object 220.0.0.0 255.0.0.0
network-object 221.0.0.0 255.0.0.0
network-object 222.0.0.0 255.0.0.0
network-object 223.0.0.0 255.0.0.0
network-object 224.0.0.0 255.0.0.0
network-object 225.0.0.0 255.0.0.0
network-object 226.0.0.0 255.0.0.0
network-object 227.0.0.0 255.0.0.0
network-object 228.0.0.0 255.0.0.0
network-object 229.0.0.0 255.0.0.0
network-object 230.0.0.0 255.0.0.0
network-object 231.0.0.0 255.0.0.0
network-object 232.0.0.0 255.0.0.0
network-object 233.0.0.0 255.0.0.0
network-object 234.0.0.0 255.0.0.0
network-object 235.0.0.0 255.0.0.0
network-object 236.0.0.0 255.0.0.0
network-object 237.0.0.0 255.0.0.0
network-object 238.0.0.0 255.0.0.0
network-object 239.0.0.0 255.0.0.0
network-object 240.0.0.0 255.0.0.0
network-object 241.0.0.0 255.0.0.0
network-object 242.0.0.0 255.0.0.0
network-object 243.0.0.0 255.0.0.0
network-object 244.0.0.0 255.0.0.0
network-object 245.0.0.0 255.0.0.0
network-object 246.0.0.0 255.0.0.0
network-object 247.0.0.0 255.0.0.0
network-object 248.0.0.0 255.0.0.0
network-object 249.0.0.0 255.0.0.0
network-object 250.0.0.0 255.0.0.0
network-object 251.0.0.0 255.0.0.0
network-object 252.0.0.0 255.0.0.0
network-object 253.0.0.0 255.0.0.0
network-object 254.0.0.0 255.0.0.0
network-object 255.0.0.0 255.0.0.0
object-group network BlackListedServers
description These servers have been added to the blacklist because they are sending a flood of REGISTER or INVITE messages.
network-object host 210.51.47.168
network-object host 211.155.228.23
network-object host 212.154.211.173
access-list Outside_access_in remark Web Server Access
access-list Outside_access_in extended permit tcp any object-group WebServers object-group WebServices log disable
access-list Outside_access_in extended permit ip 0.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 16.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 32.0.0.0 224.0.0.0 any inactive
access-list Outside_access_in extended permit ip 64.0.0.0 224.0.0.0 any inactive
access-list Outside_access_in extended permit ip 96.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 112.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 128.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 144.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 160.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 176.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 192.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 208.0.0.0 248.0.0.0 any inactive
access-list Outside_access_in extended permit ip 224.0.0.0 248.0.0.0 any inactive
access-list Outside_access_in extended deny ip any 123.13.8.0 255.255.255.0 inactive
access-list Outside_access_in extended deny ip any any inactive
access-list Outside_access_in extended deny ip object-group BlackListedServers any
access-list Outside_access_in remark VOIP Access to softswitch Servers
access-list Outside_access_in extended permit udp any object-group MediaServersGroup range 1024 65535 log disable
access-list Outside_access_in remark Desktop Perspective Access to WS02
access-list Outside_access_in extended permit icmp any host 123.13.83.6 log disable
access-list Outside_access_in extended permit icmp any any echo-reply log disable
access-list Outside_access_in extended permit udp any object-group AcmePacket-Servers object-group UDP-Phone log disable
access-list Outside_access_in extended permit udp any object-group Beta-AcmePacket-Servers object-group UDP-Phone log disable
access-list Outside_access_in remark TFTP to WS01
access-list Outside_access_in extended permit udp any host 123.13.83.13 eq tftp log disable
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.83.0 255.255.255.192
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.250.1.0 255.255.255.240
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.8.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.250.2.0 255.255.255.240
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.31.0 255.255.255.0
access-list permit_dmz extended permit ip 123.13.83.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list permit_dmz extended permit ip any any
access-list dmz-nonat extended permit ip 123.13.83.0 255.255.255.0 any
access-list dmz-nonat extended permit ip object-group DM_INLINE_NETWORK_2 object-group minsanaPlant1
access-list dmz-nonat extended permit ip object-group DM_INLINE_NETWORK_21 host 10.100.0.46
access-list crossconnect-access-in extended permit ip any any
access-list zonveri_VPN1 extended permit ip host 123.13.83.8 63.110.102.224 255.255.255.224
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_7 63.110.102.224 255.255.255.224
access-list Outside_cryptomap_6 extended permit ip object-group DM_INLINE_NETWORK_1 object-group minsana
access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_10 65.211.120.224 255.255.255.224
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_6 63.77.76.224 255.255.255.224
access-list Outside_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_9 65.243.172.224 255.255.255.224
access-list Outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_8 65.217.40.192 255.255.255.224
access-list DMZ-2_nat0_outbound extended permit ip 123.13.8.0 255.255.255.128 any
access-list test extended permit ip host 10.0.0.107 host 123.13.8.11
access-list test extended permit ip host 123.13.8.11 host 10.0.0.107
access-list permit_dmz-2 extended deny ip any any inactive
access-list permit_dmz-2 extended permit ip any any
access-list DMZ-2_nat0_outbound_1 extended permit ip 123.13.8.0 255.255.255.128 any
access-list Outside_7_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group minsanaPlant1
access-list UDP5060n5065 extended permit udp any any object-group SIP5060and5065 log disable
access-list UDP5060n5065 extended permit udp any object-group SIP5060and5065 any log disable
access-list 360Networks extended permit udp 66.62.162.0 255.255.255.0 any
access-list 360Networks extended permit udp any 66.62.162.0 255.255.255.0
access-list asdm_cap_selector_DMZ extended permit ip any host 123.13.83.13
access-list asdm_cap_selector_DMZ extended permit ip host 123.13.83.13 any
access-list provisioning_server extended permit tcp any host 123.13.83.13
!
tcp-map mss-map
exceed-mss allow
!
pager lines 10
logging enable
logging asdm-buffer-size 512
logging asdm critical
logging host crossConnect 123.13.31.4
mtu Outside 1500
mtu inside 1500
mtu crossConnect 1500
mtu DMZ 1500
mtu DMZ-2 1500
mtu management 1500
failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet0/3
failover link Failover GigabitEthernet0/3
failover interface ip Failover 172.17.1.10 255.255.255.0 standby 172.17.1.11
monitor-interface inside
monitor-interface DMZ
monitor-interface DMZ-2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ-2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (inside) 0 access-list inside-nonat
nat (inside) 1 172.16.1.0 255.255.255.0
nat (DMZ) 0 access-list dmz-nonat
nat (DMZ-2) 0 access-list DMZ-2_nat0_outbound_1
nat (management) 0 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
access-group crossconnect-access-in in interface crossConnect
access-group permit_dmz in interface DMZ
access-group permit_dmz-2 in interface DMZ-2
!
route-map tews permit 10
!
route Outside 0.0.0.0 0.0.0.0 123.13.84.145 1
route crossConnect 10.0.0.0 255.255.255.0 10.250.1.5 1
route crossConnect 10.0.10.0 255.255.255.0 10.250.1.5 1
route crossConnect 10.250.2.0 255.255.255.240 10.250.1.5 1
route crossConnect 123.13.31.0 255.255.255.0 10.250.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 10.0.0.0 255.255.255.0 crossConnect
http 172.16.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set zonveri_IPSEC esp-3des esp-md5-hmac
crypto map outside_cryptomap 1 match address zonveri_VPN1
crypto map outside_cryptomap 1 set pfs
crypto map outside_cryptomap 1 set peer *
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer *
crypto map Outside_map 1 set transform-set ESP-3DES-MD5 zonveri_IPSEC
crypto map Outside_map 2 match address Outside_cryptomap
crypto map Outside_map 2 set pfs
crypto map Outside_map 2 set peer *
crypto map Outside_map 2 set transform-set zonveri_IPSEC
crypto map Outside_map 2 set security-association lifetime seconds 86400
crypto map Outside_map 3 match address Outside_cryptomap_2
crypto map Outside_map 3 set pfs
crypto map Outside_map 3 set peer *
crypto map Outside_map 3 set transform-set zonveri_IPSEC
crypto map Outside_map 3 set security-association lifetime seconds 86400
crypto map Outside_map 4 match address Outside_cryptomap_3
crypto map Outside_map 4 set pfs
crypto map Outside_map 4 set peer *
crypto map Outside_map 4 set transform-set zonveri_IPSEC
crypto map Outside_map 4 set security-association lifetime seconds 86400
crypto map Outside_map 5 match address Outside_cryptomap_4
crypto map Outside_map 5 set pfs
crypto map Outside_map 5 set peer *
crypto map Outside_map 5 set transform-set zonveri_IPSEC
crypto map Outside_map 5 set security-association lifetime seconds 86400
crypto map Outside_map 6 match address Outside_cryptomap_6
crypto map Outside_map 6 set peer *
crypto map Outside_map 6 set transform-set ESP-3DES-MD5
crypto map Outside_map 6 set nat-t-disable
crypto map Outside_map 7 match address Outside_7_cryptomap
crypto map Outside_map 7 set pfs
crypto map Outside_map 7 set peer *
crypto map Outside_map 7 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 crossConnect
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 15
console timeout 0
management-access inside
dhcprelay server 123.13.31.4 crossConnect
dhcprelay server 123.13.31.201 crossConnect
dhcprelay enable inside
dhcprelay enable DMZ
dhcprelay enable DMZ-2
dhcprelay setroute inside
dhcprelay timeout 60
priority-queue Outside
tx-ring-limit 80
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map global-class
match port udp range 1024 65535
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list provisioning_server
class-map map
!
!
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_2
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect esmtp
class global-class
priority
policy-map http-map1
class http-map1
set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface DMZ
ntp server * source Outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group *type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
prompt hostname context
: end
The overarching question is why the deny statements would not have been effective?
Below you will find the details on our current configuration and versions (with some elements removed to protect the innocent):
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.2(1)
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(2)
!
hostname LNDCBLFW01
names
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 123.13.84.146 255.255.255.240 standby 123.13.84.147
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.54
vlan 54
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
interface GigabitEthernet0/1.57
vlan 57
nameif crossConnect
security-level 25
ip address 10.250.1.1 255.255.255.240 standby 10.250.1.2
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.56
vlan 56
nameif DMZ
security-level 50
ip address 123.13.83.1 255.255.255.192 standby 123.13.83.2
!
interface GigabitEthernet0/2.60
vlan 60
nameif DMZ-2
security-level 50
ip address 123.13.8.1 255.255.255.128 standby 123.13.8.2
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
object-group service Phone
service-object udp range 1024 65535
object-group service UDP-Phone udp
port-object range 1024 65535
object-group service Phones udp
group-object UDP-Phone
object-group service UDP udp
group-object UDP-Phone
object-group network softswitchServers
network-object host 123.13.83.8
network-object host 123.13.83.54
object-group network NatpassGroup
network-object host 123.13.83.11
network-object host 123.13.83.7
object-group network NextoneServers
network-object host 123.13.83.42
network-object host 123.13.83.43
network-object host 123.13.83.44
network-object host 123.13.83.45
network-object host 123.13.83.46
network-object host 123.13.83.48
network-object host 123.13.83.49
network-object host 123.13.83.50
network-object host 123.13.83.51
network-object host 123.13.83.41
object-group network WebServers
network-object host 123.13.83.10
network-object host 123.13.83.13
network-object host 123.13.83.14
network-object host 123.13.83.17
network-object host 123.13.83.18
network-object host 123.13.83.24
network-object host 123.13.83.25
network-object host 123.13.83.26
network-object host 123.13.83.27
network-object host 123.13.83.28
network-object host 123.13.83.29
network-object host 123.13.83.30
network-object host 123.13.83.31
network-object host 123.13.83.5
network-object host 123.13.83.6
network-object host 123.13.83.9
network-object host 123.13.83.19
object-group service WebServices tcp
description Port List for Access to Web Server
port-object eq 1701
port-object eq 8000
port-object eq 8080
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq 490
port-object eq 81
port-object eq 7701
port-object eq 1706
object-group network AcmePacket-Servers
network-object host 123.13.8.10
network-object host 123.13.8.11
network-object host 123.13.8.14
network-object host 123.13.8.15
network-object host 123.13.8.16
network-object host 123.13.8.17
network-object host 123.13.8.18
network-object host 123.13.8.19
network-object host 123.13.8.8
network-object host 123.13.8.6
network-object host 123.13.8.20
network-object host 123.13.8.21
object-group network minsana
network-object 172.31.67.0 255.255.255.192
object-group network DM_INLINE_NETWORK_1
network-object host 123.13.8.10
network-object host 123.13.8.11
object-group network MediaSinkServers
network-object host 123.13.8.50
object-group network minsana1
description minsana Plant 1
network-object 172.31.96.192 255.255.255.192
object-group network DM_INLINE_NETWORK_2
network-object host 123.13.8.10
network-object host 123.13.8.11
object-group network minsanaPlant1
network-object 172.31.96.192 255.255.255.192
object-group network Viarktek
description Viarktek Direct Access
network-object host 190.8.42.18
network-object host 190.8.42.21
network-object host 190.8.42.22
object-group network MediaServersGroup
description All of the Media Servers in Production
network-object host 123.13.83.54
network-object host 123.13.83.55
object-group network Beta-AcmePacket-Servers
description AcmePacket Beta Addresses
network-object host 123.13.8.7
network-object host 123.13.8.9
object-group network DM_INLINE_NETWORK_10
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_6
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_7
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_8
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_9
network-object host 123.13.8.14
network-object 123.13.83.0 255.255.255.192
object-group service SIP5060and5065 udp
port-object eq 5065
port-object eq sip
object-group network DM_INLINE_NETWORK_21
network-object host 123.13.83.48
network-object host 123.13.83.6
network-object host 123.13.83.49
network-object host 123.13.83.13
object-group network SIPProviders
network-object host 72.166.217.25
network-object host 148.244.146.137
network-object host 201.151.64.67
network-object host 67.16.101.76
network-object host 208.85.184.40
network-object host 208.85.184.42
network-object host 148.244.145.3
network-object host 200.76.5.141
network-object host 81.201.84.195
network-object host 209.130.223.41
network-object host 67.16.102.60
network-object host 65.243.172.245
network-object host 65.211.120.237
network-object host 65.217.40.210
network-object host 63.77.76.248
network-object host 66.62.60.101
network-object host 201.130.65.44
network-object host 174.133.4.74
network-object host 64.136.174.30
network-object host 204.0.14.7
network-object host 66.62.60.120
network-object host 216.82.224.202
network-object host 216.82.225.202
object-group network SIPCustomers
network-object 1.0.0.0 255.0.0.0
network-object 2.0.0.0 255.0.0.0
network-object 3.0.0.0 255.0.0.0
network-object 4.0.0.0 255.0.0.0
network-object 5.0.0.0 255.0.0.0
network-object 6.0.0.0 255.0.0.0
network-object 7.0.0.0 255.0.0.0
network-object 8.0.0.0 255.0.0.0
network-object 9.0.0.0 255.0.0.0
network-object 10.0.0.0 255.0.0.0
network-object 11.0.0.0 255.0.0.0
network-object 12.0.0.0 255.0.0.0
network-object 13.0.0.0 255.0.0.0
network-object 14.0.0.0 255.0.0.0
network-object 15.0.0.0 255.0.0.0
network-object 16.0.0.0 255.0.0.0
network-object 17.0.0.0 255.0.0.0
network-object 18.0.0.0 255.0.0.0
network-object 19.0.0.0 255.0.0.0
network-object 20.0.0.0 255.0.0.0
network-object 21.0.0.0 255.0.0.0
network-object 22.0.0.0 255.0.0.0
network-object 23.0.0.0 255.0.0.0
network-object 24.0.0.0 255.0.0.0
network-object 25.0.0.0 255.0.0.0
network-object 26.0.0.0 255.0.0.0
network-object 27.0.0.0 255.0.0.0
network-object 28.0.0.0 255.0.0.0
network-object 29.0.0.0 255.0.0.0
network-object 30.0.0.0 255.0.0.0
network-object 31.0.0.0 255.0.0.0
network-object 32.0.0.0 255.0.0.0
network-object 33.0.0.0 255.0.0.0
network-object 34.0.0.0 255.0.0.0
network-object 35.0.0.0 255.0.0.0
network-object 36.0.0.0 255.0.0.0
network-object 37.0.0.0 255.0.0.0
network-object 38.0.0.0 255.0.0.0
network-object 39.0.0.0 255.0.0.0
network-object 40.0.0.0 255.0.0.0
network-object 51.0.0.0 255.0.0.0
network-object 52.0.0.0 255.0.0.0
network-object 53.0.0.0 255.0.0.0
network-object 54.0.0.0 255.0.0.0
network-object 55.0.0.0 255.0.0.0
network-object 56.0.0.0 255.0.0.0
network-object 57.0.0.0 255.0.0.0
network-object 58.0.0.0 255.0.0.0
network-object 59.0.0.0 255.0.0.0
network-object 60.0.0.0 255.0.0.0
network-object 61.0.0.0 255.0.0.0
network-object 62.0.0.0 255.0.0.0
network-object 63.0.0.0 255.0.0.0
network-object 64.0.0.0 255.0.0.0
network-object 65.0.0.0 255.0.0.0
network-object 66.0.0.0 255.0.0.0
network-object 67.0.0.0 255.0.0.0
network-object 68.0.0.0 255.0.0.0
network-object 69.0.0.0 255.0.0.0
network-object 70.0.0.0 255.0.0.0
network-object 71.0.0.0 255.0.0.0
network-object 72.0.0.0 255.0.0.0
network-object 73.0.0.0 255.0.0.0
network-object 74.0.0.0 255.0.0.0
network-object 75.0.0.0 255.0.0.0
network-object 76.0.0.0 255.0.0.0
network-object 77.0.0.0 255.0.0.0
network-object 78.0.0.0 255.0.0.0
network-object 79.0.0.0 255.0.0.0
network-object 80.0.0.0 255.0.0.0
network-object 81.0.0.0 255.0.0.0
network-object 82.0.0.0 255.0.0.0
network-object 83.0.0.0 255.0.0.0
network-object 84.0.0.0 255.0.0.0
network-object 85.0.0.0 255.0.0.0
network-object 86.0.0.0 255.0.0.0
network-object 87.0.0.0 255.0.0.0
network-object 88.0.0.0 255.0.0.0
network-object 89.0.0.0 255.0.0.0
network-object 90.0.0.0 255.0.0.0
network-object 91.0.0.0 255.0.0.0
network-object 92.0.0.0 255.0.0.0
network-object 93.0.0.0 255.0.0.0
network-object 94.0.0.0 255.0.0.0
network-object 95.0.0.0 255.0.0.0
network-object 96.0.0.0 255.0.0.0
network-object 97.0.0.0 255.0.0.0
network-object 98.0.0.0 255.0.0.0
network-object 99.0.0.0 255.0.0.0
network-object 100.0.0.0 255.0.0.0
network-object 101.0.0.0 255.0.0.0
network-object 102.0.0.0 255.0.0.0
network-object 103.0.0.0 255.0.0.0
network-object 104.0.0.0 255.0.0.0
network-object 105.0.0.0 255.0.0.0
network-object 106.0.0.0 255.0.0.0
network-object 107.0.0.0 255.0.0.0
network-object 108.0.0.0 255.0.0.0
network-object 109.0.0.0 255.0.0.0
network-object 110.0.0.0 255.0.0.0
network-object 111.0.0.0 255.0.0.0
network-object 112.0.0.0 255.0.0.0
network-object 113.0.0.0 255.0.0.0
network-object 114.0.0.0 255.0.0.0
network-object 115.0.0.0 255.0.0.0
network-object 116.0.0.0 255.0.0.0
network-object 117.0.0.0 255.0.0.0
network-object 118.0.0.0 255.0.0.0
network-object 119.0.0.0 255.0.0.0
network-object 120.0.0.0 255.0.0.0
network-object 121.0.0.0 255.0.0.0
network-object 122.0.0.0 255.0.0.0
network-object 123.0.0.0 255.0.0.0
network-object 124.0.0.0 255.0.0.0
network-object 125.0.0.0 255.0.0.0
network-object 126.0.0.0 255.0.0.0
network-object 127.0.0.0 255.0.0.0
network-object 128.0.0.0 255.0.0.0
network-object 129.0.0.0 255.0.0.0
network-object 130.0.0.0 255.0.0.0
network-object 131.0.0.0 255.0.0.0
network-object 132.0.0.0 255.0.0.0
network-object 133.0.0.0 255.0.0.0
network-object 134.0.0.0 255.0.0.0
network-object 135.0.0.0 255.0.0.0
network-object 136.0.0.0 255.0.0.0
network-object 137.0.0.0 255.0.0.0
network-object 138.0.0.0 255.0.0.0
network-object 139.0.0.0 255.0.0.0
network-object 140.0.0.0 255.0.0.0
network-object 141.0.0.0 255.0.0.0
network-object 142.0.0.0 255.0.0.0
network-object 143.0.0.0 255.0.0.0
network-object 144.0.0.0 255.0.0.0
network-object 145.0.0.0 255.0.0.0
network-object 146.0.0.0 255.0.0.0
network-object 147.0.0.0 255.0.0.0
network-object 148.0.0.0 255.0.0.0
network-object 149.0.0.0 255.0.0.0
network-object 150.0.0.0 255.0.0.0
network-object 151.0.0.0 255.0.0.0
network-object 152.0.0.0 255.0.0.0
network-object 153.0.0.0 255.0.0.0
network-object 154.0.0.0 255.0.0.0
network-object 155.0.0.0 255.0.0.0
network-object 156.0.0.0 255.0.0.0
network-object 157.0.0.0 255.0.0.0
network-object 158.0.0.0 255.0.0.0
network-object 159.0.0.0 255.0.0.0
network-object 160.0.0.0 255.0.0.0
network-object 161.0.0.0 255.0.0.0
network-object 162.0.0.0 255.0.0.0
network-object 163.0.0.0 255.0.0.0
network-object 164.0.0.0 255.0.0.0
network-object 165.0.0.0 255.0.0.0
network-object 166.0.0.0 255.0.0.0
network-object 167.0.0.0 255.0.0.0
network-object 168.0.0.0 255.0.0.0
network-object 169.0.0.0 255.0.0.0
network-object 170.0.0.0 255.0.0.0
network-object 171.0.0.0 255.0.0.0
network-object 172.0.0.0 255.0.0.0
network-object 173.0.0.0 255.0.0.0
network-object 174.0.0.0 255.0.0.0
network-object 175.0.0.0 255.0.0.0
network-object 176.0.0.0 255.0.0.0
network-object 177.0.0.0 255.0.0.0
network-object 178.0.0.0 255.0.0.0
network-object 179.0.0.0 255.0.0.0
network-object 180.0.0.0 255.0.0.0
network-object 181.0.0.0 255.0.0.0
network-object 182.0.0.0 255.0.0.0
network-object 183.0.0.0 255.0.0.0
network-object 184.0.0.0 255.0.0.0
network-object 185.0.0.0 255.0.0.0
network-object 186.0.0.0 255.0.0.0
network-object 187.0.0.0 255.0.0.0
network-object 188.0.0.0 255.0.0.0
network-object 189.0.0.0 255.0.0.0
network-object 190.0.0.0 255.0.0.0
network-object 191.0.0.0 255.0.0.0
network-object 192.0.0.0 255.0.0.0
network-object 193.0.0.0 255.0.0.0
network-object 194.0.0.0 255.0.0.0
network-object 195.0.0.0 255.0.0.0
network-object 196.0.0.0 255.0.0.0
network-object 197.0.0.0 255.0.0.0
network-object 198.0.0.0 255.0.0.0
network-object 199.0.0.0 255.0.0.0
network-object 200.0.0.0 255.0.0.0
network-object 201.0.0.0 255.0.0.0
network-object 202.0.0.0 255.0.0.0
network-object 203.0.0.0 255.0.0.0
network-object 204.0.0.0 255.0.0.0
network-object 205.0.0.0 255.0.0.0
network-object 206.0.0.0 255.0.0.0
network-object 207.0.0.0 255.0.0.0
network-object 208.0.0.0 255.0.0.0
network-object 209.0.0.0 255.0.0.0
network-object 210.0.0.0 255.0.0.0
network-object 211.0.0.0 255.0.0.0
network-object 212.0.0.0 255.0.0.0
network-object 213.0.0.0 255.0.0.0
network-object 214.0.0.0 255.0.0.0
network-object 215.0.0.0 255.0.0.0
network-object 216.0.0.0 255.0.0.0
network-object 217.0.0.0 255.0.0.0
network-object 218.0.0.0 255.0.0.0
network-object 219.0.0.0 255.0.0.0
network-object 220.0.0.0 255.0.0.0
network-object 221.0.0.0 255.0.0.0
network-object 222.0.0.0 255.0.0.0
network-object 223.0.0.0 255.0.0.0
network-object 224.0.0.0 255.0.0.0
network-object 225.0.0.0 255.0.0.0
network-object 226.0.0.0 255.0.0.0
network-object 227.0.0.0 255.0.0.0
network-object 228.0.0.0 255.0.0.0
network-object 229.0.0.0 255.0.0.0
network-object 230.0.0.0 255.0.0.0
network-object 231.0.0.0 255.0.0.0
network-object 232.0.0.0 255.0.0.0
network-object 233.0.0.0 255.0.0.0
network-object 234.0.0.0 255.0.0.0
network-object 235.0.0.0 255.0.0.0
network-object 236.0.0.0 255.0.0.0
network-object 237.0.0.0 255.0.0.0
network-object 238.0.0.0 255.0.0.0
network-object 239.0.0.0 255.0.0.0
network-object 240.0.0.0 255.0.0.0
network-object 241.0.0.0 255.0.0.0
network-object 242.0.0.0 255.0.0.0
network-object 243.0.0.0 255.0.0.0
network-object 244.0.0.0 255.0.0.0
network-object 245.0.0.0 255.0.0.0
network-object 246.0.0.0 255.0.0.0
network-object 247.0.0.0 255.0.0.0
network-object 248.0.0.0 255.0.0.0
network-object 249.0.0.0 255.0.0.0
network-object 250.0.0.0 255.0.0.0
network-object 251.0.0.0 255.0.0.0
network-object 252.0.0.0 255.0.0.0
network-object 253.0.0.0 255.0.0.0
network-object 254.0.0.0 255.0.0.0
network-object 255.0.0.0 255.0.0.0
object-group network BlackListedServers
description These servers have been added to the blacklist because they are sending a flood of REGISTER or INVITE messages.
network-object host 210.51.47.168
network-object host 211.155.228.23
network-object host 212.154.211.173
access-list Outside_access_in remark Web Server Access
access-list Outside_access_in extended permit tcp any object-group WebServers object-group WebServices log disable
access-list Outside_access_in extended permit ip 0.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 16.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 32.0.0.0 224.0.0.0 any inactive
access-list Outside_access_in extended permit ip 64.0.0.0 224.0.0.0 any inactive
access-list Outside_access_in extended permit ip 96.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 112.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 128.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 144.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 160.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 176.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 192.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 208.0.0.0 248.0.0.0 any inactive
access-list Outside_access_in extended permit ip 224.0.0.0 248.0.0.0 any inactive
access-list Outside_access_in extended deny ip any 123.13.8.0 255.255.255.0 inactive
access-list Outside_access_in extended deny ip any any inactive
access-list Outside_access_in extended deny ip object-group BlackListedServers any
access-list Outside_access_in remark VOIP Access to softswitch Servers
access-list Outside_access_in extended permit udp any object-group MediaServersGroup range 1024 65535 log disable
access-list Outside_access_in remark Desktop Perspective Access to WS02
access-list Outside_access_in extended permit icmp any host 123.13.83.6 log disable
access-list Outside_access_in extended permit icmp any any echo-reply log disable
access-list Outside_access_in extended permit udp any object-group AcmePacket-Servers object-group UDP-Phone log disable
access-list Outside_access_in extended permit udp any object-group Beta-AcmePacket-Servers object-group UDP-Phone log disable
access-list Outside_access_in remark TFTP to WS01
access-list Outside_access_in extended permit udp any host 123.13.83.13 eq tftp log disable
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.83.0 255.255.255.192
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.250.1.0 255.255.255.240
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.8.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.250.2.0 255.255.255.240
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.31.0 255.255.255.0
access-list permit_dmz extended permit ip 123.13.83.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list permit_dmz extended permit ip any any
access-list dmz-nonat extended permit ip 123.13.83.0 255.255.255.0 any
access-list dmz-nonat extended permit ip object-group DM_INLINE_NETWORK_2 object-group minsanaPlant1
access-list dmz-nonat extended permit ip object-group DM_INLINE_NETWORK_21 host 10.100.0.46
access-list crossconnect-access-in extended permit ip any any
access-list zonveri_VPN1 extended permit ip host 123.13.83.8 63.110.102.224 255.255.255.224
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_7 63.110.102.224 255.255.255.224
access-list Outside_cryptomap_6 extended permit ip object-group DM_INLINE_NETWORK_1 object-group minsana
access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_10 65.211.120.224 255.255.255.224
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_6 63.77.76.224 255.255.255.224
access-list Outside_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_9 65.243.172.224 255.255.255.224
access-list Outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_8 65.217.40.192 255.255.255.224
access-list DMZ-2_nat0_outbound extended permit ip 123.13.8.0 255.255.255.128 any
access-list test extended permit ip host 10.0.0.107 host 123.13.8.11
access-list test extended permit ip host 123.13.8.11 host 10.0.0.107
access-list permit_dmz-2 extended deny ip any any inactive
access-list permit_dmz-2 extended permit ip any any
access-list DMZ-2_nat0_outbound_1 extended permit ip 123.13.8.0 255.255.255.128 any
access-list Outside_7_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group minsanaPlant1
access-list UDP5060n5065 extended permit udp any any object-group SIP5060and5065 log disable
access-list UDP5060n5065 extended permit udp any object-group SIP5060and5065 any log disable
access-list 360Networks extended permit udp 66.62.162.0 255.255.255.0 any
access-list 360Networks extended permit udp any 66.62.162.0 255.255.255.0
access-list asdm_cap_selector_DMZ extended permit ip any host 123.13.83.13
access-list asdm_cap_selector_DMZ extended permit ip host 123.13.83.13 any
access-list provisioning_server extended permit tcp any host 123.13.83.13
!
tcp-map mss-map
exceed-mss allow
!
pager lines 10
logging enable
logging asdm-buffer-size 512
logging asdm critical
logging host crossConnect 123.13.31.4
mtu Outside 1500
mtu inside 1500
mtu crossConnect 1500
mtu DMZ 1500
mtu DMZ-2 1500
mtu management 1500
failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet0/3
failover link Failover GigabitEthernet0/3
failover interface ip Failover 172.17.1.10 255.255.255.0 standby 172.17.1.11
monitor-interface inside
monitor-interface DMZ
monitor-interface DMZ-2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ-2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (inside) 0 access-list inside-nonat
nat (inside) 1 172.16.1.0 255.255.255.0
nat (DMZ) 0 access-list dmz-nonat
nat (DMZ-2) 0 access-list DMZ-2_nat0_outbound_1
nat (management) 0 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
access-group crossconnect-access-in in interface crossConnect
access-group permit_dmz in interface DMZ
access-group permit_dmz-2 in interface DMZ-2
!
route-map tews permit 10
!
route Outside 0.0.0.0 0.0.0.0 123.13.84.145 1
route crossConnect 10.0.0.0 255.255.255.0 10.250.1.5 1
route crossConnect 10.0.10.0 255.255.255.0 10.250.1.5 1
route crossConnect 10.250.2.0 255.255.255.240 10.250.1.5 1
route crossConnect 123.13.31.0 255.255.255.0 10.250.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 10.0.0.0 255.255.255.0 crossConnect
http 172.16.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set zonveri_IPSEC esp-3des esp-md5-hmac
crypto map outside_cryptomap 1 match address zonveri_VPN1
crypto map outside_cryptomap 1 set pfs
crypto map outside_cryptomap 1 set peer *
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer *
crypto map Outside_map 1 set transform-set ESP-3DES-MD5 zonveri_IPSEC
crypto map Outside_map 2 match address Outside_cryptomap
crypto map Outside_map 2 set pfs
crypto map Outside_map 2 set peer *
crypto map Outside_map 2 set transform-set zonveri_IPSEC
crypto map Outside_map 2 set security-association lifetime seconds 86400
crypto map Outside_map 3 match address Outside_cryptomap_2
crypto map Outside_map 3 set pfs
crypto map Outside_map 3 set peer *
crypto map Outside_map 3 set transform-set zonveri_IPSEC
crypto map Outside_map 3 set security-association lifetime seconds 86400
crypto map Outside_map 4 match address Outside_cryptomap_3
crypto map Outside_map 4 set pfs
crypto map Outside_map 4 set peer *
crypto map Outside_map 4 set transform-set zonveri_IPSEC
crypto map Outside_map 4 set security-association lifetime seconds 86400
crypto map Outside_map 5 match address Outside_cryptomap_4
crypto map Outside_map 5 set pfs
crypto map Outside_map 5 set peer *
crypto map Outside_map 5 set transform-set zonveri_IPSEC
crypto map Outside_map 5 set security-association lifetime seconds 86400
crypto map Outside_map 6 match address Outside_cryptomap_6
crypto map Outside_map 6 set peer *
crypto map Outside_map 6 set transform-set ESP-3DES-MD5
crypto map Outside_map 6 set nat-t-disable
crypto map Outside_map 7 match address Outside_7_cryptomap
crypto map Outside_map 7 set pfs
crypto map Outside_map 7 set peer *
crypto map Outside_map 7 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 crossConnect
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 15
console timeout 0
management-access inside
dhcprelay server 123.13.31.4 crossConnect
dhcprelay server 123.13.31.201 crossConnect
dhcprelay enable inside
dhcprelay enable DMZ
dhcprelay enable DMZ-2
dhcprelay setroute inside
dhcprelay timeout 60
priority-queue Outside
tx-ring-limit 80
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map global-class
match port udp range 1024 65535
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list provisioning_server
class-map map
!
!
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_2
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect esmtp
class global-class
priority
policy-map http-map1
class http-map1
set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface DMZ
ntp server * source Outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group *type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
pre-shared-key *
prompt hostname context
: end
JFrederick29
Once a connection is permitted via the ACL, subsequent packets that are part of that connection are no longer checked against the access-list. Clearing the connections (not xlate) for the host in question probably would have also stopped the flow of traffic.
A possibility could be... The security levels on the Outside interface are lower then DMZ-2. By default traffic can pass across the backplane from a higher to lower interface.
ASKER
I tried the 'clear conn all' command but it wasn't valid and I found post online that stated that clearing the xlate was needed. If you could tell me what command I should have issued that would have been great. However, I would also like to know why clearing the xlate was not enough and how/why each clearing is needed.
Thanks,
Danny
Thanks,
Danny
ASKER
BTW, I just found a command reference for version 8.0 online which says that the 'clear conn' command was introduced in version 8.0(4):
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2140024
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2140024
You are doing NAT exemption for the DMZ-2 traffic which in turn I'm pretty sure doesn't create an xlate entry so doing a clear xlate has no effect. You can use the " clear conn address x.x.x.x" to clear any connection associated with the IP address in question. You are correct, it was introduced into the 8.0(4) release. You'll probably want to upgrade to that release anyway as 8.0(2) was a pretty buggy release if memory serves me correct.
ASKER
What I am hearing is that there was no way to clear the connections unless I upgraded to a new version. ('Clear conn' in any form was not available in 8.0(2). ) Is that correct? What about the clear local-host? Would that have done it?
I think I am beginning to understand...please let me know if I am on the right track with the following statements. Each successful traversal of the firewall needs both an acl and a nat rule. (I think that is correct but please correct me at any point in the conversation here.) From my understanding, the ACL is at a higher level than the nat rule or, in other words, the ACL is evaluated first before the NAT rules. Now, from what I am hearing, the connections table is an ACL shortcut. In other words, if a connection exists in the connections table, the connection is allowed through without evaluating the ACL. I am also hearing that the xlate table is a shortcut for the NAT statements. Therefore, if an entry exists in the xlate table, the NAT rules are not evaluated.
Now to my specific situation: I had added an ACL which blocked the traffic. However, the connections in the connection table allowed most all of the traffic through because it bypasses the ACL if a connection already exists. Similarly, I had cleared the xlate so there was no shortcut around the NAT rules. However, because there was exemption from NAT (which I interpret as the same as one-to-one NAT across the board) on the DMZ-2 interface the traffic which made it through the ACL layer via the connections table would immediately create a new xlate because of the NAT exemption. Does that sound about right?
Thanks,
Danny
I think I am beginning to understand...please let me know if I am on the right track with the following statements. Each successful traversal of the firewall needs both an acl and a nat rule. (I think that is correct but please correct me at any point in the conversation here.) From my understanding, the ACL is at a higher level than the nat rule or, in other words, the ACL is evaluated first before the NAT rules. Now, from what I am hearing, the connections table is an ACL shortcut. In other words, if a connection exists in the connections table, the connection is allowed through without evaluating the ACL. I am also hearing that the xlate table is a shortcut for the NAT statements. Therefore, if an entry exists in the xlate table, the NAT rules are not evaluated.
Now to my specific situation: I had added an ACL which blocked the traffic. However, the connections in the connection table allowed most all of the traffic through because it bypasses the ACL if a connection already exists. Similarly, I had cleared the xlate so there was no shortcut around the NAT rules. However, because there was exemption from NAT (which I interpret as the same as one-to-one NAT across the board) on the DMZ-2 interface the traffic which made it through the ACL layer via the connections table would immediately create a new xlate because of the NAT exemption. Does that sound about right?
Thanks,
Danny
ASKER
Am I asking too much followup for one question? I am sorry if that is too much detail but I just want to make sure I know why the ACL was ineffective for future troubleshooting.
Thanks,
Danny
Thanks,
Danny
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.