• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 800
  • Last Modified:

Access-list not working properly on ASA

I have an ACL in place that is supposed to prevent all smtp traffic from inside minus a few hosts from going outbound. For some reason my deny statement in line 7 isn't taking effect and smtp traffic from any host inside is allowed. What am I missing?

access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp
access-list inside_access_in line 7 extended deny tcp any any eq smtp
access-list inside_access_in line 8 extended permit ip any any
0
mulkeyinc
Asked:
mulkeyinc
  • 7
  • 5
1 Solution
 
giltjrCommented:
Can you post the config of the interface that you have this access list applied to?

You have the description of "inside_access_in", which would imply that this is applied to inbound traffic on the interface "inside".

Based on the way you have it coded it should be applied to outbound traffic on the inside interface.
0
 
mulkeyincAuthor Commented:
It is applied inbound on the inside interface. I'm not following why this is incorrect?

Traffic from internal LAN incoming to ASA on inside interface.
0
 
giltjrCommented:
My fault, I was think backwards.

If you do a show for that access list are the other rules getting hit?

Are those the only ACL's in that list?
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
mulkeyincAuthor Commented:
Yes, other rules are being hit.

Yes, those are all the ACLs in that list.

The interface config: access-group inside_access_in in interface inside

It is strange. I've configured thousands of ACLs and this one has my puzzled. It's like it's there, just not taking effect.

Thanks for the assistance btw.
0
 
mulkeyincAuthor Commented:
Just cleared the counters and already seeing hits yet I can send a packet from any host on port 25 despite my deny statement. If packet tracer in ASDM is goes through as well.

ASA# show access-list inside_access_in          
access-list inside_access_in; 8 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp (hitcnt=3) 0x2f2ad7d3
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp (hitcnt=0) 0xfcb2c0be
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp (hitcnt=0) 0xb3096646
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp (hitcnt=0) 0xbbf01bf9
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp (hitcnt=0) 0x785e99e7
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp (hitcnt=0) 0xb773c1ec
access-list inside_access_in line 7 extended deny tcp any any eq smtp (hitcnt=0) 0xe3de3aa9
access-list inside_access_in line 8 extended permit ip any any (hitcnt=19887) 0xa925365e
0
 
giltjrCommented:
Although it should not matter the only think I can think of trying is to replace your deny with

access-list inside_access_in line 7 extended deny tcp any gt 1023 any eq smtp
0
 
mulkeyincAuthor Commented:
It's weird. I removed lines 1-7 and then reapplied entire ACL. Now the only hits I am getting is on permit ip any any statement.
0
 
giltjrCommented:
Well, we are still running PIX and that is old, we don't change it that much because it is for "B2B" direct ip link (not through the Internet).  We are getting ready to be retired, but last I knew the access list is supposed to be processed in the order of the line numbers.

We don't code any denies.  If it is not explicitly allowed, its automatically denied so we don't have any denies in our ACL's.

Now I did see something like that on a old 3550 switch where we had to remove the whole access list and add it back, not sure what occurred there, but we had made a ton of changes and things started to get whacked out and we could not reload.  We figured it was a memory corruption issue.

Got to go home will check later tonight to see if you made any progress.
0
 
mulkeyincAuthor Commented:
Thanks. I have deployed many ASAs and never ran into this problem. I'm going to reboot the device when I can to see if that does the trick.
0
 
TimotiStDatacenter TechnicianCommented:
Any NAT configured on that PIX?
0
 
mulkeyincAuthor Commented:
Restarting the ASA fixed it. The ACL is now working properly. No config change was required.
0
 
giltjrCommented:
Weird.  Glad it's working.
0
 
mulkeyincAuthor Commented:
Solved my own issue.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now