?
Solved

Access-list not working properly on ASA

Posted on 2013-01-17
13
Medium Priority
?
734 Views
Last Modified: 2013-01-23
I have an ACL in place that is supposed to prevent all smtp traffic from inside minus a few hosts from going outbound. For some reason my deny statement in line 7 isn't taking effect and smtp traffic from any host inside is allowed. What am I missing?

access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp
access-list inside_access_in line 7 extended deny tcp any any eq smtp
access-list inside_access_in line 8 extended permit ip any any
0
Comment
Question by:mulkeyinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 38788993
Can you post the config of the interface that you have this access list applied to?

You have the description of "inside_access_in", which would imply that this is applied to inbound traffic on the interface "inside".

Based on the way you have it coded it should be applied to outbound traffic on the inside interface.
0
 

Author Comment

by:mulkeyinc
ID: 38789053
It is applied inbound on the inside interface. I'm not following why this is incorrect?

Traffic from internal LAN incoming to ASA on inside interface.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38789087
My fault, I was think backwards.

If you do a show for that access list are the other rules getting hit?

Are those the only ACL's in that list?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mulkeyinc
ID: 38789111
Yes, other rules are being hit.

Yes, those are all the ACLs in that list.

The interface config: access-group inside_access_in in interface inside

It is strange. I've configured thousands of ACLs and this one has my puzzled. It's like it's there, just not taking effect.

Thanks for the assistance btw.
0
 

Author Comment

by:mulkeyinc
ID: 38789135
Just cleared the counters and already seeing hits yet I can send a packet from any host on port 25 despite my deny statement. If packet tracer in ASDM is goes through as well.

ASA# show access-list inside_access_in          
access-list inside_access_in; 8 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp (hitcnt=3) 0x2f2ad7d3
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp (hitcnt=0) 0xfcb2c0be
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp (hitcnt=0) 0xb3096646
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp (hitcnt=0) 0xbbf01bf9
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp (hitcnt=0) 0x785e99e7
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp (hitcnt=0) 0xb773c1ec
access-list inside_access_in line 7 extended deny tcp any any eq smtp (hitcnt=0) 0xe3de3aa9
access-list inside_access_in line 8 extended permit ip any any (hitcnt=19887) 0xa925365e
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38789225
Although it should not matter the only think I can think of trying is to replace your deny with

access-list inside_access_in line 7 extended deny tcp any gt 1023 any eq smtp
0
 

Author Comment

by:mulkeyinc
ID: 38789249
It's weird. I removed lines 1-7 and then reapplied entire ACL. Now the only hits I am getting is on permit ip any any statement.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38789332
Well, we are still running PIX and that is old, we don't change it that much because it is for "B2B" direct ip link (not through the Internet).  We are getting ready to be retired, but last I knew the access list is supposed to be processed in the order of the line numbers.

We don't code any denies.  If it is not explicitly allowed, its automatically denied so we don't have any denies in our ACL's.

Now I did see something like that on a old 3550 switch where we had to remove the whole access list and add it back, not sure what occurred there, but we had made a ton of changes and things started to get whacked out and we could not reload.  We figured it was a memory corruption issue.

Got to go home will check later tonight to see if you made any progress.
0
 

Author Comment

by:mulkeyinc
ID: 38789357
Thanks. I have deployed many ASAs and never ran into this problem. I'm going to reboot the device when I can to see if that does the trick.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38792463
Any NAT configured on that PIX?
0
 

Accepted Solution

by:
mulkeyinc earned 0 total points
ID: 38793062
Restarting the ASA fixed it. The ACL is now working properly. No config change was required.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 38793075
Weird.  Glad it's working.
0
 

Author Closing Comment

by:mulkeyinc
ID: 38809116
Solved my own issue.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question