Cisco ASA 5510 8.4 ACL help

Hello Experts,

I am implementing a Cisco 5510 to replace an outdated firewall.  I have done most of my config through asdm, but I do understand the CLI side a bit.  Here's my issue:

My outside_access_in ACLs are not allowing the PAT and NAT that I setup.  If I add

access-list outside_access_in extended permit ip any any

then I can get my translations to go through.  By adding this, I think I'm opening up the firewall.  I don't think this should be needed.  I currently have it in the config, but it's inactive.  The activity log I see is blocked by outside_access_in ACL but I can't find anything.

  Also, my inside_access_in traffic was getting blocked from LAN to Internet web traffic.  Shouldn't this get through because it's going from higher security level to lower?  I can add

access-list inside_access_in extended permit ip any any

and get traffic out, but again that shouldn't be necessary. And, again I'm seeing a log entry saying blocked by inside_access_in ACL, but I can't find anything. I feel like I'm missing an implicit ACE somewhere and I can't figure it out.  I'll post config, please forgive all the objects and groups, the ASDM configuration likes to create those.

: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name xxxx
enable password 8UJu3BA.9t6jgpjS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xx.xx.xx..210 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.20.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 10.10.1.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.20.1.2
 name-server 10.20.1.4
 domain-name coiw
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service ftp
 service tcp source eq ftp-data destination eq ftp-data
object service http
 service tcp source eq www destination eq www
object service https
 service tcp source eq https destination eq https
object service rdp
 service tcp source eq 3389 destination eq 3389
object service smtp
 service tcp source eq smtp destination eq smtp
object service ssh
 service tcp source eq ssh destination eq ssh
object service vnc
 service tcp source eq 5900 destination eq 5900
object network internal_lan
 subnet 10.20.1.0 255.255.255.0
object service 8080
 service tcp source eq 8080 destination eq 8080
object service Granicus
 service tcp source eq 6969 destination eq 6969
object service sql
 service tcp source eq 1433 destination eq 1433
object network dmz_web
object network web_server_static_dmz
 host 10.10.1.10
 description Web Server Static    
object network granicus_static_dmz
 host 10.10.1.16
 description Granicus Static    
object network Weatherbug_dmz_static
 host 10.10.1.22
 description Weatherbug    
object network BL_Web_sql_lan
 host 10.20.1.7
 description Business License sql connection    
object network eden_lan_static
 host 10.20.1.7
 description Eden    
object network legistar_lan_static
 host 10.20.1.6
 description Legistar    
object network mac_vnc_lan_static
 host 10.20.1.25
 description Mac VNC    
object network mail_lan_static
 host 10.20.1.10
 description Mail    
object network owa_lan_static
 host 10.20.1.5
 description OWA    
object network rdp_lan_static
 host 10.20.1.2
 description RDP    
object network scala_cm_lan_static
 host 10.20.1.220
 description Scala CM    
object network scala_rdp_lan_static
 host 10.20.1.220
 description Scala RDP    
object service weather
 service tcp source eq 95 destination eq 95
object network mail_server
 host 10.20.1.3
object network bill_powers
 host 10.20.1.126
object network visual_cut
 host 10.20.1.201
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network OWA_LAN_static
 host 10.20.1.5
 description OWA
object-group service DM_INLINE_SERVICE_1
 service-object object ftp
 service-object object http
 service-object object https
 service-object object rdp
 service-object object smtp
 service-object object ssh
 service-object object vnc
 service-object icmp
object-group service DM_INLINE_SERVICE_2
 service-object object 8080
 service-object object Granicus
 service-object object http
 service-object object rdp
object-group service DM_INLINE_SERVICE_3
 service-object object http
 service-object object https
 service-object object rdp
object-group network DM_INLINE_NETWORK_1
 network-object object mail_server
 network-object object owa_lan_static
 network-object object bill_powers
 network-object object visual_cut
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit object rdp interface outside object rdp_lan_static
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object web_server_static_dmz
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object granicus_static_dmz
access-list outside_access_in extended permit object weather any object Weatherbug_dmz_static
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object legistar_lan_static
access-list outside_access_in extended permit object rdp any object eden_lan_static
access-list outside_access_in extended permit object sql 10.10.1.0 255.255.255.0 object BL_Web_sql_lan
access-list outside_access_in extended permit object smtp any object mail_lan_static
access-list outside_access_in extended permit tcp any object scala_rdp_lan_static eq 1717
access-list outside_access_in extended permit object 8080 any object scala_cm_lan_static
access-list outside_access_in extended permit object vnc any object mac_vnc_lan_static
access-list inside_access_in extended permit object smtp object-group DM_INLINE_NETWORK_1 any
access-list inside_access_in extended deny object smtp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN_Address_Pool 10.20.1.20-10.20.1.29 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.20.1.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
!
object network internal_lan
 nat (inside,outside) dynamic interface
object network web_server_static_dmz
 nat (dmz,outside) static xx.xx.xx..218
object network granicus_static_dmz
 nat (dmz,outside) static xx.xx.xx.216
object network Weatherbug_dmz_static
 nat (dmz,outside) static xx.xx.xx.222 service tcp 95 95
object network BL_Web_sql_lan
 nat (inside,dmz) static xx.xx.xx.210 service tcp 1433 1433
object network eden_lan_static
 nat (inside,outside) static xx.xx.xx.219
object network legistar_lan_static
 nat (inside,outside) static xx.xx.xx.220
object network mac_vnc_lan_static
 nat (inside,outside) static xx.xx.xx.211 service tcp 5900 5900
object network mail_lan_static
 nat (inside,outside) static interface service tcp smtp smtp
object network rdp_lan_static
 nat (inside,outside) static interface service tcp 3389 3389
object network scala_cm_lan_static
 nat (inside,outside) static interface service tcp 8080 8080
object network scala_rdp_lan_static
 nat (inside,outside) static interface service tcp 3389 1717
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.209 1
route inside 10.25.1.0 255.255.255.255 10.25.1.245 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 8001
http 192.168.1.0 255.255.255.0 management
http 10.20.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 2
 anyconnect enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.20.1.2 10.20.1.4
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value coiw
 address-pools value VPN_Address_Pool
 webvpn
  anyconnect ask none default anyconnect
username admin password f2aMq40KWpQXgUR5 encrypted privilege 15
username kmccarthy password co7KVqHWRZoyFLro encrypted
username kmccarthy attributes
 service-type remote-access
username nwerner password ffSByskKkulkBfDJ encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0b0c0a31c9951f20f7f8a124c462c7f6
: end
no asdm history enable


nwernerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cheever000Commented:
Your access lists seem wrong, as in where you are defining the object group that should be the protocol,

Access-list extented permit {IP, TCP, UDP or object group defining a protocol}


than host perhaps any than destination then the services you wish to all through with an operator such as eq than your object-group defined service.

now I may be off base I have some experience with the 8.3 code plus but that is what I see, I could be wrong so I apologize in advance if I steer you wrong but it is something to look at.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nwernerAuthor Commented:
Here's the issue that I see when I look at one specific example.  Here's the statement created by ASDM:

access-list outside_access_in extended permit object rdp interface outside object rdp_lan_static

what I really want is:

access-list outside_access_in extended permit tcp any object rdp_lan_static eq rdp

When I add it using CLI, it looks great, the problem is that it looks identical in ASDM.  I'm not sure if it's an ASA 8.4 issue, ASDM 6.4 issue or if I'm missing something somewhere else.  

I will re-enter each of the ACEs using CLI and re-test to see if that fixes the issue.  
0
FrabbleCommented:
Couple of things;
ACLs are processed before NAT so for your outside_access_in, the destination must be the outside address, not the inside as shown.

The service groups appear wrong, it is not common to have TCP source and destination ports the same. Incoming connections will be a dynamic source port. Have you specified the source port to be the same as the destination port rather than leaving it at any?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

nwernerAuthor Commented:
Frabble,  
Everything that I've read from Cisco shows that ASA version 8.3 and greater changed to always use the real IP instead of the mapped IP.  

I'm looking into service groups.

Thanks.
0
Cheever000Commented:
You are correct it is inside ip post 8.3
0
kwolbert_ITCommented:
Also, my inside_access_in traffic was getting blocked from LAN to Internet web traffic.  Shouldn't this get through because it's going from higher security level to lower?  I can add

This is not working because you are missing the inspect http traffic
policy-map global_policy
 class inspection_default
 inspect http                <--This line is missing and would cause http traffic not allowed back in
0
nwernerAuthor Commented:
Everyone, Thanks for the help so far.  I have updated my config and the ACL is working.  However, when I tested last night, I could not get web traffic from the inside.  In the logs, it shows UDP teardown for the dns call.  I'm thinking a problem in my route or something.  This test was before adding the inspect http to my inspection_default, but I don't think that would impact dns requests.

Thanks for everything so far, and if anyone sees any glaring issues, please let me know.  Below is my latest config.

Thanks!!


: Saved
:
ASA Version 8.4(1)
!
hostname ciscoasa
enable password 8UJu3BA.9t6jgpjS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xx.xx.32.210 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.20.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 10.10.1.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
 name-server 10.20.1.2
 name-server 10.20.1.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service ftp
 service tcp source eq ftp-data destination eq ftp-data
object service http
 service tcp source eq www destination eq www
object service https
 service tcp source eq https destination eq https
object service rdp
 service tcp source eq 3389 destination eq 3389
object service smtp
 service tcp source eq smtp destination eq smtp
object service ssh
 service tcp source eq ssh destination eq ssh
object service vnc
 service tcp source eq 5900 destination eq 5900
object network internal_lan
 subnet 10.20.1.0 255.255.255.0
object service 8080
 service tcp source eq 8080 destination eq 8080
object service Granicus
 service tcp source eq 6969 destination eq 6969
object service sql
 service tcp source eq 1433 destination eq 1433
object network dmz_web
object network web_server_static_dmz
 host 10.10.1.10
 description Web Server Static    
object network granicus_static_dmz
 host 10.10.1.16
 description Granicus Static    
object network Weatherbug_dmz_static
 host 10.10.1.22
 description Weatherbug    
object network BL_Web_sql_lan
 host 10.20.1.7
 description Business License sql connection    
object network eden_lan_static
 host 10.20.1.7
 description Eden    
object network legistar_lan_static
 host 10.20.1.6
 description Legistar    
object network mac_vnc_lan_static
 host 10.20.1.25
 description Mac VNC    
object network mail_lan_static
 host 10.20.1.10
 description Mail    
object network rdp_lan_static
 host 10.20.1.2
 description RDP    
object network scala_cm_lan_static
 host 10.20.1.220
 description Scala CM    
object network scala_rdp_lan_static
 host 10.20.1.220
 description Scala RDP    
object service weather
 service tcp source eq 95 destination eq 95
object network mail_server
 host 10.20.1.3
object network bill_powers
 host 10.20.1.126
object network visual_cut
 host 10.20.1.201
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network owa_lan_static
 host 10.20.1.5
 description owa
object-group service granicus_services tcp
 description Granicus Server Services
 port-object eq 3389
 port-object eq 6969
 port-object eq www
object-group service legistar_services tcp
 description Legistar Server Services
 port-object eq 3389
 port-object eq www
 port-object eq https
object-group service web_services tcp
 description Web Server Services
 port-object eq 3389
 port-object eq 5900
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq ssh
object-group network smtp_allow
 description Allowed workstations for smtp
 network-object object bill_powers
 network-object object mail_lan_static
 network-object object mail_server
 network-object object visual_cut
access-list outside_access_in extended permit tcp any object web_server_static_dmz object-group web_services
access-list outside_access_in extended permit tcp any object granicus_static_dmz object-group granicus_services
access-list outside_access_in extended permit tcp any object Weatherbug_dmz_static eq 95
access-list outside_access_in extended permit tcp any object legistar_lan_static object-group legistar_services
access-list outside_access_in extended permit tcp any object eden_lan_static eq 3389
access-list outside_access_in extended permit tcp any object mail_lan_static eq smtp
access-list outside_access_in extended permit tcp any object scala_rdp_lan_static eq 1717
access-list outside_access_in extended permit tcp any object scala_cm_lan_static eq 8080
access-list outside_access_in extended permit tcp any object mac_vnc_lan_static eq 5900
access-list outside_access_in extended permit tcp any object rdp_lan_static eq 3389
access-list outside_access_in extended permit tcp any object mail_server eq https
access-list outside_access_in extended permit icmp any interface outside
access-list dmz_access_in extended permit tcp any object BL_Web_sql_lan eq 1433
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp object-group smtp_allow any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging flash-bufferwrap
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPN_Address_Pool 10.20.1.20-10.20.1.29 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.20.1.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
!
object network internal_lan
 nat (inside,outside) dynamic interface
object network web_server_static_dmz
 nat (dmz,outside) static xx.xx.32.218
object network granicus_static_dmz
 nat (dmz,outside) static xx.xx.32.216
object network Weatherbug_dmz_static
 nat (dmz,outside) static xx.xx.32.222 service tcp 95 95
object network BL_Web_sql_lan
 nat (inside,dmz) static xx.xx.32.210 service tcp 1433 1433
object network eden_lan_static
 nat (inside,outside) static xx.xx.32.219
object network legistar_lan_static
 nat (inside,outside) static xx.xx.32.220
object network mac_vnc_lan_static
 nat (inside,outside) static xx.xx.32.211 service tcp 5900 5900
object network mail_lan_static
 nat (inside,outside) static interface service tcp smtp smtp
object network rdp_lan_static
 nat (inside,outside) static interface service tcp 3389 3389
object network scala_cm_lan_static
 nat (inside,outside) static interface service tcp 8080 8080
object network scala_rdp_lan_static
 nat (inside,outside) static interface service tcp 3389 1717
object network owa_lan_static
 nat (inside,outside) static interface service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xx.32.209 1
route inside 10.25.1.0 255.255.255.255 10.25.1.245 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 8001
http 192.168.1.0 255.255.255.0 management
http 10.20.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 2
 anyconnect enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.20.1.2 10.20.1.4
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
 default-domain value coiw
 address-pools value VPN_Address_Pool
 webvpn
  anyconnect ask none default anyconnect
username admin password f2aMq40KWpQXgUR5 encrypted privilege 15
username kmccarthy password co7KVqHWRZoyFLro encrypted
username kmccarthy attributes
 service-type remote-access
username nwerner password ffSByskKkulkBfDJ encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect http
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:85cd513e68294386d94f245fc915f976
: end
no asdm history enable
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.