Solved

Access-list not working properly on ASA

Posted on 2013-01-17
13
648 Views
Last Modified: 2013-01-23
I have an ACL in place that is supposed to prevent all smtp traffic from inside minus a few hosts from going outbound. For some reason my deny statement in line 7 isn't taking effect and smtp traffic from any host inside is allowed. What am I missing?

access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp
access-list inside_access_in line 7 extended deny tcp any any eq smtp
access-list inside_access_in line 8 extended permit ip any any
0
Comment
Question by:mulkeyinc
  • 7
  • 5
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38788993
Can you post the config of the interface that you have this access list applied to?

You have the description of "inside_access_in", which would imply that this is applied to inbound traffic on the interface "inside".

Based on the way you have it coded it should be applied to outbound traffic on the inside interface.
0
 

Author Comment

by:mulkeyinc
ID: 38789053
It is applied inbound on the inside interface. I'm not following why this is incorrect?

Traffic from internal LAN incoming to ASA on inside interface.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38789087
My fault, I was think backwards.

If you do a show for that access list are the other rules getting hit?

Are those the only ACL's in that list?
0
 

Author Comment

by:mulkeyinc
ID: 38789111
Yes, other rules are being hit.

Yes, those are all the ACLs in that list.

The interface config: access-group inside_access_in in interface inside

It is strange. I've configured thousands of ACLs and this one has my puzzled. It's like it's there, just not taking effect.

Thanks for the assistance btw.
0
 

Author Comment

by:mulkeyinc
ID: 38789135
Just cleared the counters and already seeing hits yet I can send a packet from any host on port 25 despite my deny statement. If packet tracer in ASDM is goes through as well.

ASA# show access-list inside_access_in          
access-list inside_access_in; 8 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp (hitcnt=3) 0x2f2ad7d3
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp (hitcnt=0) 0xfcb2c0be
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp (hitcnt=0) 0xb3096646
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp (hitcnt=0) 0xbbf01bf9
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp (hitcnt=0) 0x785e99e7
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp (hitcnt=0) 0xb773c1ec
access-list inside_access_in line 7 extended deny tcp any any eq smtp (hitcnt=0) 0xe3de3aa9
access-list inside_access_in line 8 extended permit ip any any (hitcnt=19887) 0xa925365e
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38789225
Although it should not matter the only think I can think of trying is to replace your deny with

access-list inside_access_in line 7 extended deny tcp any gt 1023 any eq smtp
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:mulkeyinc
ID: 38789249
It's weird. I removed lines 1-7 and then reapplied entire ACL. Now the only hits I am getting is on permit ip any any statement.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38789332
Well, we are still running PIX and that is old, we don't change it that much because it is for "B2B" direct ip link (not through the Internet).  We are getting ready to be retired, but last I knew the access list is supposed to be processed in the order of the line numbers.

We don't code any denies.  If it is not explicitly allowed, its automatically denied so we don't have any denies in our ACL's.

Now I did see something like that on a old 3550 switch where we had to remove the whole access list and add it back, not sure what occurred there, but we had made a ton of changes and things started to get whacked out and we could not reload.  We figured it was a memory corruption issue.

Got to go home will check later tonight to see if you made any progress.
0
 

Author Comment

by:mulkeyinc
ID: 38789357
Thanks. I have deployed many ASAs and never ran into this problem. I'm going to reboot the device when I can to see if that does the trick.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38792463
Any NAT configured on that PIX?
0
 

Accepted Solution

by:
mulkeyinc earned 0 total points
ID: 38793062
Restarting the ASA fixed it. The ACL is now working properly. No config change was required.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38793075
Weird.  Glad it's working.
0
 

Author Closing Comment

by:mulkeyinc
ID: 38809116
Solved my own issue.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now