Solved

Cisco ASA access-list not denying traffic

Posted on 2011-02-24
8
2,035 Views
Last Modified: 2012-06-27
We recently had a situation where an access-list to deny traffic was not taking effect.  Background: A SIP VoIP server sits in our "DMZ-2".  This server handles SIP registrations and calls (it is a registrar and proxy). Recently, the server was rebooted.  Upon rebooting the flood of SIP registrations and invites was causing the server CPU to spike to 100% and reject all incomming calls.  In an effort mitigate the storm of traffic, we decided to block traffic on the firewall.  We added a deny statement at the top of the access list to deny all traffic coming into the outside interface.  We applied the acl and cleared the xlate and traffic was still getting through.  At this point we figured that the SIP server could be sending back SIP responses from the DMZ-2 and therefore opening pin-holes through the firewall which would ignore the access-list blocking all inbound traffic.  In order to stop all traffic, we setup an additional access list to block all incoming traffic on the DMZ-2 interface and again cleared the xlate.  Traffic was still getting through.  In order to stop the traffic, we had to disable the DMZ-2 interface.  When we re-enabled the interface, the deny ACL's were effective and we were able to slowly open the VoIP server to SIP traffic one group of subnets at a time.
The overarching question is why the deny statements would not have been effective?
Below you will find the details on our current configuration and versions (with some elements removed to protect the innocent):

Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.2(1)

Result of the command: "sh run"

: Saved
:
ASA Version 8.0(2)
!
hostname LNDCBLFW01
names

dns-guard
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 123.13.84.146 255.255.255.240 standby 123.13.84.147
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.54
 vlan 54
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
!
interface GigabitEthernet0/1.57
 vlan 57
 nameif crossConnect
 security-level 25
 ip address 10.250.1.1 255.255.255.240 standby 10.250.1.2
!
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2.56
 vlan 56
 nameif DMZ
 security-level 50
 ip address 123.13.83.1 255.255.255.192 standby 123.13.83.2
!
interface GigabitEthernet0/2.60
 vlan 60
 nameif DMZ-2
 security-level 50
 ip address 123.13.8.1 255.255.255.128 standby 123.13.8.2
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
object-group service Phone
 service-object udp range 1024 65535
object-group service UDP-Phone udp
 port-object range 1024 65535
object-group service Phones udp
 group-object UDP-Phone
object-group service UDP udp
 group-object UDP-Phone
object-group network softswitchServers
 network-object host 123.13.83.8
 network-object host 123.13.83.54
object-group network NatpassGroup
 network-object host 123.13.83.11
 network-object host 123.13.83.7
object-group network NextoneServers
 network-object host 123.13.83.42
 network-object host 123.13.83.43
 network-object host 123.13.83.44
 network-object host 123.13.83.45
 network-object host 123.13.83.46
 network-object host 123.13.83.48
 network-object host 123.13.83.49
 network-object host 123.13.83.50
 network-object host 123.13.83.51
 network-object host 123.13.83.41
object-group network WebServers
 network-object host 123.13.83.10
 network-object host 123.13.83.13
 network-object host 123.13.83.14
 network-object host 123.13.83.17
 network-object host 123.13.83.18
 network-object host 123.13.83.24
 network-object host 123.13.83.25
 network-object host 123.13.83.26
 network-object host 123.13.83.27
 network-object host 123.13.83.28
 network-object host 123.13.83.29
 network-object host 123.13.83.30
 network-object host 123.13.83.31
 network-object host 123.13.83.5
 network-object host 123.13.83.6
 network-object host 123.13.83.9
 network-object host 123.13.83.19
object-group service WebServices tcp
 description Port List for Access to Web Server
 port-object eq 1701
 port-object eq 8000
 port-object eq 8080
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
 port-object eq 490
 port-object eq 81
 port-object eq 7701
 port-object eq 1706
object-group network AcmePacket-Servers
 network-object host 123.13.8.10
 network-object host 123.13.8.11
 network-object host 123.13.8.14
 network-object host 123.13.8.15
 network-object host 123.13.8.16
 network-object host 123.13.8.17
 network-object host 123.13.8.18
 network-object host 123.13.8.19
 network-object host 123.13.8.8
 network-object host 123.13.8.6
 network-object host 123.13.8.20
 network-object host 123.13.8.21
object-group network minsana
 network-object 172.31.67.0 255.255.255.192
object-group network DM_INLINE_NETWORK_1
 network-object host 123.13.8.10
 network-object host 123.13.8.11
object-group network MediaSinkServers
 network-object host 123.13.8.50
object-group network minsana1
 description minsana Plant 1
 network-object 172.31.96.192 255.255.255.192
object-group network DM_INLINE_NETWORK_2
 network-object host 123.13.8.10
 network-object host 123.13.8.11
object-group network minsanaPlant1
 network-object 172.31.96.192 255.255.255.192
object-group network Viarktek
 description Viarktek Direct Access
 network-object host 190.8.42.18
 network-object host 190.8.42.21
 network-object host 190.8.42.22
object-group network MediaServersGroup
 description All of the Media Servers in Production
 network-object host 123.13.83.54
 network-object host 123.13.83.55
object-group network Beta-AcmePacket-Servers
 description AcmePacket Beta Addresses
 network-object host 123.13.8.7
 network-object host 123.13.8.9
object-group network DM_INLINE_NETWORK_10
 network-object host 123.13.8.14
 network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_6
 network-object host 123.13.8.14
 network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_7
 network-object host 123.13.8.14
 network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_8
 network-object host 123.13.8.14
 network-object 123.13.83.0 255.255.255.192
object-group network DM_INLINE_NETWORK_9
 network-object host 123.13.8.14
 network-object 123.13.83.0 255.255.255.192
object-group service SIP5060and5065 udp
 port-object eq 5065
 port-object eq sip
object-group network DM_INLINE_NETWORK_21
 network-object host 123.13.83.48
 network-object host 123.13.83.6
 network-object host 123.13.83.49
 network-object host 123.13.83.13
object-group network SIPProviders
 network-object host 72.166.217.25
 network-object host 148.244.146.137
 network-object host 201.151.64.67
 network-object host 67.16.101.76
 network-object host 208.85.184.40
 network-object host 208.85.184.42
 network-object host 148.244.145.3
 network-object host 200.76.5.141
 network-object host 81.201.84.195
 network-object host 209.130.223.41
 network-object host 67.16.102.60
 network-object host 65.243.172.245
 network-object host 65.211.120.237
 network-object host 65.217.40.210
 network-object host 63.77.76.248
 network-object host 66.62.60.101
 network-object host 201.130.65.44
 network-object host 174.133.4.74
 network-object host 64.136.174.30
 network-object host 204.0.14.7
 network-object host 66.62.60.120
 network-object host 216.82.224.202
 network-object host 216.82.225.202
object-group network SIPCustomers
 network-object 1.0.0.0 255.0.0.0
 network-object 2.0.0.0 255.0.0.0
 network-object 3.0.0.0 255.0.0.0
 network-object 4.0.0.0 255.0.0.0
 network-object 5.0.0.0 255.0.0.0
 network-object 6.0.0.0 255.0.0.0
 network-object 7.0.0.0 255.0.0.0
 network-object 8.0.0.0 255.0.0.0
 network-object 9.0.0.0 255.0.0.0
 network-object 10.0.0.0 255.0.0.0
 network-object 11.0.0.0 255.0.0.0
 network-object 12.0.0.0 255.0.0.0
 network-object 13.0.0.0 255.0.0.0
 network-object 14.0.0.0 255.0.0.0
 network-object 15.0.0.0 255.0.0.0
 network-object 16.0.0.0 255.0.0.0
 network-object 17.0.0.0 255.0.0.0
 network-object 18.0.0.0 255.0.0.0
 network-object 19.0.0.0 255.0.0.0
 network-object 20.0.0.0 255.0.0.0
 network-object 21.0.0.0 255.0.0.0
 network-object 22.0.0.0 255.0.0.0
 network-object 23.0.0.0 255.0.0.0
 network-object 24.0.0.0 255.0.0.0
 network-object 25.0.0.0 255.0.0.0
 network-object 26.0.0.0 255.0.0.0
 network-object 27.0.0.0 255.0.0.0
 network-object 28.0.0.0 255.0.0.0
 network-object 29.0.0.0 255.0.0.0
 network-object 30.0.0.0 255.0.0.0
 network-object 31.0.0.0 255.0.0.0
 network-object 32.0.0.0 255.0.0.0
 network-object 33.0.0.0 255.0.0.0
 network-object 34.0.0.0 255.0.0.0
 network-object 35.0.0.0 255.0.0.0
 network-object 36.0.0.0 255.0.0.0
 network-object 37.0.0.0 255.0.0.0
 network-object 38.0.0.0 255.0.0.0
 network-object 39.0.0.0 255.0.0.0
 network-object 40.0.0.0 255.0.0.0
 network-object 51.0.0.0 255.0.0.0
 network-object 52.0.0.0 255.0.0.0
 network-object 53.0.0.0 255.0.0.0
 network-object 54.0.0.0 255.0.0.0
 network-object 55.0.0.0 255.0.0.0
 network-object 56.0.0.0 255.0.0.0
 network-object 57.0.0.0 255.0.0.0
 network-object 58.0.0.0 255.0.0.0
 network-object 59.0.0.0 255.0.0.0
 network-object 60.0.0.0 255.0.0.0
 network-object 61.0.0.0 255.0.0.0
 network-object 62.0.0.0 255.0.0.0
 network-object 63.0.0.0 255.0.0.0
 network-object 64.0.0.0 255.0.0.0
 network-object 65.0.0.0 255.0.0.0
 network-object 66.0.0.0 255.0.0.0
 network-object 67.0.0.0 255.0.0.0
 network-object 68.0.0.0 255.0.0.0
 network-object 69.0.0.0 255.0.0.0
 network-object 70.0.0.0 255.0.0.0
 network-object 71.0.0.0 255.0.0.0
 network-object 72.0.0.0 255.0.0.0
 network-object 73.0.0.0 255.0.0.0
 network-object 74.0.0.0 255.0.0.0
 network-object 75.0.0.0 255.0.0.0
 network-object 76.0.0.0 255.0.0.0
 network-object 77.0.0.0 255.0.0.0
 network-object 78.0.0.0 255.0.0.0
 network-object 79.0.0.0 255.0.0.0
 network-object 80.0.0.0 255.0.0.0
 network-object 81.0.0.0 255.0.0.0
 network-object 82.0.0.0 255.0.0.0
 network-object 83.0.0.0 255.0.0.0
 network-object 84.0.0.0 255.0.0.0
 network-object 85.0.0.0 255.0.0.0
 network-object 86.0.0.0 255.0.0.0
 network-object 87.0.0.0 255.0.0.0
 network-object 88.0.0.0 255.0.0.0
 network-object 89.0.0.0 255.0.0.0
 network-object 90.0.0.0 255.0.0.0
 network-object 91.0.0.0 255.0.0.0
 network-object 92.0.0.0 255.0.0.0
 network-object 93.0.0.0 255.0.0.0
 network-object 94.0.0.0 255.0.0.0
 network-object 95.0.0.0 255.0.0.0
 network-object 96.0.0.0 255.0.0.0
 network-object 97.0.0.0 255.0.0.0
 network-object 98.0.0.0 255.0.0.0
 network-object 99.0.0.0 255.0.0.0
 network-object 100.0.0.0 255.0.0.0
 network-object 101.0.0.0 255.0.0.0
 network-object 102.0.0.0 255.0.0.0
 network-object 103.0.0.0 255.0.0.0
 network-object 104.0.0.0 255.0.0.0
 network-object 105.0.0.0 255.0.0.0
 network-object 106.0.0.0 255.0.0.0
 network-object 107.0.0.0 255.0.0.0
 network-object 108.0.0.0 255.0.0.0
 network-object 109.0.0.0 255.0.0.0
 network-object 110.0.0.0 255.0.0.0
 network-object 111.0.0.0 255.0.0.0
 network-object 112.0.0.0 255.0.0.0
 network-object 113.0.0.0 255.0.0.0
 network-object 114.0.0.0 255.0.0.0
 network-object 115.0.0.0 255.0.0.0
 network-object 116.0.0.0 255.0.0.0
 network-object 117.0.0.0 255.0.0.0
 network-object 118.0.0.0 255.0.0.0
 network-object 119.0.0.0 255.0.0.0
 network-object 120.0.0.0 255.0.0.0
 network-object 121.0.0.0 255.0.0.0
 network-object 122.0.0.0 255.0.0.0
 network-object 123.0.0.0 255.0.0.0
 network-object 124.0.0.0 255.0.0.0
 network-object 125.0.0.0 255.0.0.0
 network-object 126.0.0.0 255.0.0.0
 network-object 127.0.0.0 255.0.0.0
 network-object 128.0.0.0 255.0.0.0
 network-object 129.0.0.0 255.0.0.0
 network-object 130.0.0.0 255.0.0.0
 network-object 131.0.0.0 255.0.0.0
 network-object 132.0.0.0 255.0.0.0
 network-object 133.0.0.0 255.0.0.0
 network-object 134.0.0.0 255.0.0.0
 network-object 135.0.0.0 255.0.0.0
 network-object 136.0.0.0 255.0.0.0
 network-object 137.0.0.0 255.0.0.0
 network-object 138.0.0.0 255.0.0.0
 network-object 139.0.0.0 255.0.0.0
 network-object 140.0.0.0 255.0.0.0
 network-object 141.0.0.0 255.0.0.0
 network-object 142.0.0.0 255.0.0.0
 network-object 143.0.0.0 255.0.0.0
 network-object 144.0.0.0 255.0.0.0
 network-object 145.0.0.0 255.0.0.0
 network-object 146.0.0.0 255.0.0.0
 network-object 147.0.0.0 255.0.0.0
 network-object 148.0.0.0 255.0.0.0
 network-object 149.0.0.0 255.0.0.0
 network-object 150.0.0.0 255.0.0.0
 network-object 151.0.0.0 255.0.0.0
 network-object 152.0.0.0 255.0.0.0
 network-object 153.0.0.0 255.0.0.0
 network-object 154.0.0.0 255.0.0.0
 network-object 155.0.0.0 255.0.0.0
 network-object 156.0.0.0 255.0.0.0
 network-object 157.0.0.0 255.0.0.0
 network-object 158.0.0.0 255.0.0.0
 network-object 159.0.0.0 255.0.0.0
 network-object 160.0.0.0 255.0.0.0
 network-object 161.0.0.0 255.0.0.0
 network-object 162.0.0.0 255.0.0.0
 network-object 163.0.0.0 255.0.0.0
 network-object 164.0.0.0 255.0.0.0
 network-object 165.0.0.0 255.0.0.0
 network-object 166.0.0.0 255.0.0.0
 network-object 167.0.0.0 255.0.0.0
 network-object 168.0.0.0 255.0.0.0
 network-object 169.0.0.0 255.0.0.0
 network-object 170.0.0.0 255.0.0.0
 network-object 171.0.0.0 255.0.0.0
 network-object 172.0.0.0 255.0.0.0
 network-object 173.0.0.0 255.0.0.0
 network-object 174.0.0.0 255.0.0.0
 network-object 175.0.0.0 255.0.0.0
 network-object 176.0.0.0 255.0.0.0
 network-object 177.0.0.0 255.0.0.0
 network-object 178.0.0.0 255.0.0.0
 network-object 179.0.0.0 255.0.0.0
 network-object 180.0.0.0 255.0.0.0
 network-object 181.0.0.0 255.0.0.0
 network-object 182.0.0.0 255.0.0.0
 network-object 183.0.0.0 255.0.0.0
 network-object 184.0.0.0 255.0.0.0
 network-object 185.0.0.0 255.0.0.0
 network-object 186.0.0.0 255.0.0.0
 network-object 187.0.0.0 255.0.0.0
 network-object 188.0.0.0 255.0.0.0
 network-object 189.0.0.0 255.0.0.0
 network-object 190.0.0.0 255.0.0.0
 network-object 191.0.0.0 255.0.0.0
 network-object 192.0.0.0 255.0.0.0
 network-object 193.0.0.0 255.0.0.0
 network-object 194.0.0.0 255.0.0.0
 network-object 195.0.0.0 255.0.0.0
 network-object 196.0.0.0 255.0.0.0
 network-object 197.0.0.0 255.0.0.0
 network-object 198.0.0.0 255.0.0.0
 network-object 199.0.0.0 255.0.0.0
 network-object 200.0.0.0 255.0.0.0
 network-object 201.0.0.0 255.0.0.0
 network-object 202.0.0.0 255.0.0.0
 network-object 203.0.0.0 255.0.0.0
 network-object 204.0.0.0 255.0.0.0
 network-object 205.0.0.0 255.0.0.0
 network-object 206.0.0.0 255.0.0.0
 network-object 207.0.0.0 255.0.0.0
 network-object 208.0.0.0 255.0.0.0
 network-object 209.0.0.0 255.0.0.0
 network-object 210.0.0.0 255.0.0.0
 network-object 211.0.0.0 255.0.0.0
 network-object 212.0.0.0 255.0.0.0
 network-object 213.0.0.0 255.0.0.0
 network-object 214.0.0.0 255.0.0.0
 network-object 215.0.0.0 255.0.0.0
 network-object 216.0.0.0 255.0.0.0
 network-object 217.0.0.0 255.0.0.0
 network-object 218.0.0.0 255.0.0.0
 network-object 219.0.0.0 255.0.0.0
 network-object 220.0.0.0 255.0.0.0
 network-object 221.0.0.0 255.0.0.0
 network-object 222.0.0.0 255.0.0.0
 network-object 223.0.0.0 255.0.0.0
 network-object 224.0.0.0 255.0.0.0
 network-object 225.0.0.0 255.0.0.0
 network-object 226.0.0.0 255.0.0.0
 network-object 227.0.0.0 255.0.0.0
 network-object 228.0.0.0 255.0.0.0
 network-object 229.0.0.0 255.0.0.0
 network-object 230.0.0.0 255.0.0.0
 network-object 231.0.0.0 255.0.0.0
 network-object 232.0.0.0 255.0.0.0
 network-object 233.0.0.0 255.0.0.0
 network-object 234.0.0.0 255.0.0.0
 network-object 235.0.0.0 255.0.0.0
 network-object 236.0.0.0 255.0.0.0
 network-object 237.0.0.0 255.0.0.0
 network-object 238.0.0.0 255.0.0.0
 network-object 239.0.0.0 255.0.0.0
 network-object 240.0.0.0 255.0.0.0
 network-object 241.0.0.0 255.0.0.0
 network-object 242.0.0.0 255.0.0.0
 network-object 243.0.0.0 255.0.0.0
 network-object 244.0.0.0 255.0.0.0
 network-object 245.0.0.0 255.0.0.0
 network-object 246.0.0.0 255.0.0.0
 network-object 247.0.0.0 255.0.0.0
 network-object 248.0.0.0 255.0.0.0
 network-object 249.0.0.0 255.0.0.0
 network-object 250.0.0.0 255.0.0.0
 network-object 251.0.0.0 255.0.0.0
 network-object 252.0.0.0 255.0.0.0
 network-object 253.0.0.0 255.0.0.0
 network-object 254.0.0.0 255.0.0.0
 network-object 255.0.0.0 255.0.0.0
object-group network BlackListedServers
 description These servers have been added to the blacklist because they are sending a flood of REGISTER or INVITE messages.
 network-object host 210.51.47.168
 network-object host 211.155.228.23
 network-object host 212.154.211.173
access-list Outside_access_in remark Web Server Access
access-list Outside_access_in extended permit tcp any object-group WebServers object-group WebServices log disable
access-list Outside_access_in extended permit ip 0.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 16.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 32.0.0.0 224.0.0.0 any inactive
access-list Outside_access_in extended permit ip 64.0.0.0 224.0.0.0 any inactive
access-list Outside_access_in extended permit ip 96.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 112.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 128.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 144.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 160.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 176.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 192.0.0.0 240.0.0.0 any inactive
access-list Outside_access_in extended permit ip 208.0.0.0 248.0.0.0 any inactive
access-list Outside_access_in extended permit ip 224.0.0.0 248.0.0.0 any inactive
access-list Outside_access_in extended deny ip any 123.13.8.0 255.255.255.0 inactive
access-list Outside_access_in extended deny ip any any inactive
access-list Outside_access_in extended deny ip object-group BlackListedServers any
access-list Outside_access_in remark VOIP Access to softswitch Servers
access-list Outside_access_in extended permit udp any object-group MediaServersGroup range 1024 65535 log disable
access-list Outside_access_in remark Desktop Perspective Access to WS02
access-list Outside_access_in extended permit icmp any host 123.13.83.6 log disable  
access-list Outside_access_in extended permit icmp any any echo-reply log disable
access-list Outside_access_in extended permit udp any object-group AcmePacket-Servers object-group UDP-Phone log disable
access-list Outside_access_in extended permit udp any object-group Beta-AcmePacket-Servers object-group UDP-Phone log disable
access-list Outside_access_in remark TFTP to WS01
access-list Outside_access_in extended permit udp any host 123.13.83.13 eq tftp log disable
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.83.0 255.255.255.192
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.250.1.0 255.255.255.240
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.8.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 10.250.2.0 255.255.255.240
access-list inside-nonat extended permit ip 172.16.1.0 255.255.255.0 123.13.31.0 255.255.255.0
access-list permit_dmz extended permit ip 123.13.83.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list permit_dmz extended permit ip any any
access-list dmz-nonat extended permit ip 123.13.83.0 255.255.255.0 any
access-list dmz-nonat extended permit ip object-group DM_INLINE_NETWORK_2 object-group minsanaPlant1
access-list dmz-nonat extended permit ip object-group DM_INLINE_NETWORK_21 host 10.100.0.46
access-list crossconnect-access-in extended permit ip any any
access-list zonveri_VPN1 extended permit ip host 123.13.83.8 63.110.102.224 255.255.255.224
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_7 63.110.102.224 255.255.255.224
access-list Outside_cryptomap_6 extended permit ip object-group DM_INLINE_NETWORK_1 object-group minsana
access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_10 65.211.120.224 255.255.255.224
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_6 63.77.76.224 255.255.255.224
access-list Outside_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_9 65.243.172.224 255.255.255.224
access-list Outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_8 65.217.40.192 255.255.255.224
access-list DMZ-2_nat0_outbound extended permit ip 123.13.8.0 255.255.255.128 any
access-list test extended permit ip host 10.0.0.107 host 123.13.8.11
access-list test extended permit ip host 123.13.8.11 host 10.0.0.107
access-list permit_dmz-2 extended deny ip any any inactive
access-list permit_dmz-2 extended permit ip any any
access-list DMZ-2_nat0_outbound_1 extended permit ip 123.13.8.0 255.255.255.128 any
access-list Outside_7_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group minsanaPlant1
access-list UDP5060n5065 extended permit udp any any object-group SIP5060and5065 log disable
access-list UDP5060n5065 extended permit udp any object-group SIP5060and5065 any log disable
access-list 360Networks extended permit udp 66.62.162.0 255.255.255.0 any
access-list 360Networks extended permit udp any 66.62.162.0 255.255.255.0
access-list asdm_cap_selector_DMZ extended permit ip any host 123.13.83.13
access-list asdm_cap_selector_DMZ extended permit ip host 123.13.83.13 any
access-list provisioning_server extended permit tcp any host 123.13.83.13
!
tcp-map mss-map
  exceed-mss allow
!
pager lines 10
logging enable
logging asdm-buffer-size 512
logging asdm critical
logging host crossConnect 123.13.31.4
mtu Outside 1500
mtu inside 1500
mtu crossConnect 1500
mtu DMZ 1500
mtu DMZ-2 1500
mtu management 1500
failover
failover lan unit secondary
failover lan interface Failover GigabitEthernet0/3
failover link Failover GigabitEthernet0/3
failover interface ip Failover 172.17.1.10 255.255.255.0 standby 172.17.1.11
monitor-interface inside
monitor-interface DMZ
monitor-interface DMZ-2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any DMZ-2
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (inside) 0 access-list inside-nonat
nat (inside) 1 172.16.1.0 255.255.255.0
nat (DMZ) 0 access-list dmz-nonat
nat (DMZ-2) 0 access-list DMZ-2_nat0_outbound_1
nat (management) 0 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
access-group crossconnect-access-in in interface crossConnect
access-group permit_dmz in interface DMZ
access-group permit_dmz-2 in interface DMZ-2
!
route-map tews permit 10
!
route Outside 0.0.0.0 0.0.0.0 123.13.84.145 1
route crossConnect 10.0.0.0 255.255.255.0 10.250.1.5 1
route crossConnect 10.0.10.0 255.255.255.0 10.250.1.5 1
route crossConnect 10.250.2.0 255.255.255.240 10.250.1.5 1
route crossConnect 123.13.31.0 255.255.255.0 10.250.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 crossConnect
http 172.16.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set zonveri_IPSEC esp-3des esp-md5-hmac
crypto map outside_cryptomap 1 match address zonveri_VPN1
crypto map outside_cryptomap 1 set pfs
crypto map outside_cryptomap 1 set peer *
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer *
crypto map Outside_map 1 set transform-set ESP-3DES-MD5 zonveri_IPSEC
crypto map Outside_map 2 match address Outside_cryptomap
crypto map Outside_map 2 set pfs
crypto map Outside_map 2 set peer *
crypto map Outside_map 2 set transform-set zonveri_IPSEC
crypto map Outside_map 2 set security-association lifetime seconds 86400
crypto map Outside_map 3 match address Outside_cryptomap_2
crypto map Outside_map 3 set pfs
crypto map Outside_map 3 set peer *
crypto map Outside_map 3 set transform-set zonveri_IPSEC
crypto map Outside_map 3 set security-association lifetime seconds 86400
crypto map Outside_map 4 match address Outside_cryptomap_3
crypto map Outside_map 4 set pfs
crypto map Outside_map 4 set peer *
crypto map Outside_map 4 set transform-set zonveri_IPSEC
crypto map Outside_map 4 set security-association lifetime seconds 86400
crypto map Outside_map 5 match address Outside_cryptomap_4
crypto map Outside_map 5 set pfs
crypto map Outside_map 5 set peer *
crypto map Outside_map 5 set transform-set zonveri_IPSEC
crypto map Outside_map 5 set security-association lifetime seconds 86400
crypto map Outside_map 6 match address Outside_cryptomap_6
crypto map Outside_map 6 set peer *
crypto map Outside_map 6 set transform-set ESP-3DES-MD5
crypto map Outside_map 6 set nat-t-disable
crypto map Outside_map 7 match address Outside_7_cryptomap
crypto map Outside_map 7 set pfs
crypto map Outside_map 7 set peer *
crypto map Outside_map 7 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 crossConnect
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 15
console timeout 0
management-access inside
dhcprelay server 123.13.31.4 crossConnect
dhcprelay server 123.13.31.201 crossConnect
dhcprelay enable inside
dhcprelay enable DMZ
dhcprelay enable DMZ-2
dhcprelay setroute inside
dhcprelay timeout 60
priority-queue Outside
  tx-ring-limit 80
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map global-class
 match port udp range 1024 65535
class-map inspection_default
 match default-inspection-traffic
class-map http-map1
 match access-list provisioning_server
class-map map
!
!
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_2
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect esmtp
 class global-class
  priority
policy-map http-map1
 class http-map1
  set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface DMZ
ntp server * source Outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
tunnel-group *type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
tunnel-group * type ipsec-l2l
tunnel-group * ipsec-attributes
 pre-shared-key *
prompt hostname context
: end
0
Comment
Question by:dbeutler
  • 4
  • 3
8 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 34973310
Once a connection is permitted via the ACL, subsequent packets that are part of that connection are no longer checked against the access-list.  Clearing the connections (not xlate) for the host in question probably would have also stopped the flow of traffic.
0
 
LVL 9

Expert Comment

by:tl121000
ID: 34973319
A possibility could be... The security levels on the Outside interface are lower then DMZ-2.  By default traffic can pass across the backplane from a higher to lower interface.  
0
 

Author Comment

by:dbeutler
ID: 34973397
I tried the 'clear conn all' command but it wasn't valid and I found post online that stated that clearing the xlate was needed.  If you could tell me what command I should have issued that would have been great.  However, I would also like to know why clearing the xlate was not enough and how/why each clearing is needed.
Thanks,
Danny
0
 

Author Comment

by:dbeutler
ID: 34973525
BTW, I just found a command reference for version 8.0 online which says that the 'clear conn' command was introduced in version 8.0(4):
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c3.html#wp2140024
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 34973804
You are doing NAT exemption for the DMZ-2 traffic which in turn I'm pretty sure doesn't create an xlate entry so doing a clear xlate has no effect.  You can use the " clear conn address x.x.x.x" to clear any connection associated with the IP address in question.  You are correct, it was introduced into the 8.0(4) release.  You'll probably want to upgrade to that release anyway as 8.0(2) was a pretty buggy release if memory serves me correct.
0
 

Author Comment

by:dbeutler
ID: 34974000
What I am hearing is that there was no way to clear the connections unless I upgraded to a new version. ('Clear conn' in any form was not available in 8.0(2). )  Is that correct?  What about the clear local-host?  Would that have done it?
I think I am beginning to understand...please let me know if I am on the right track with the following statements.  Each successful traversal of the firewall needs both an acl and a nat rule.  (I think that is correct but please correct me at any point in the conversation here.)  From my understanding, the ACL is at a higher level than the nat rule or, in other words, the ACL is evaluated first before the NAT rules. Now, from what I am hearing, the connections table is an ACL shortcut.  In other words, if a connection exists in the connections table, the connection is allowed through without evaluating the ACL.  I am also hearing that the xlate table is a shortcut for the NAT statements.  Therefore, if an entry exists in the xlate table, the NAT rules are not evaluated.  
Now to my specific situation:  I had added an ACL which blocked the traffic.  However, the connections in the connection table allowed most all of the traffic through because it bypasses the ACL if a connection already exists.  Similarly, I had cleared the xlate so there was no shortcut around the NAT rules.  However, because there was exemption from NAT (which I interpret as the same as one-to-one NAT across the board) on the DMZ-2 interface the traffic which made it through the ACL layer via the connections table would immediately create a new xlate because of the NAT exemption.  Does that sound about right?
Thanks,
Danny
0
 

Author Comment

by:dbeutler
ID: 34980824
Am I asking too much followup for one question?  I am sorry if that is too much detail but I just want to make sure I know why the ACL was ineffective for future troubleshooting.
Thanks,
Danny
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 34996621
Yes, your understanding is correct and no, don't worry about the followup (A little followup is more than acceptable).  The clear local-host may have worked  Yeah, based on the command reference, it looks like clear conn was introduced into the 8.0 line in 8.0(4).
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now