topic Re: ACL on ASA5506 issue in Network Security

ACL on ASA5506 issue

Ditlev Weinreich — Thu, 17 Dec 2020 09:59:17 GMT

I've just finished creating NAT on my ASA, which is mentioned in another discussion. Now I'm doing a test with laptops, but it seems that I can't get traffic through. I believe it's an ACL-issue. I need to pass all traffic through from both sides.

My setup:

MY LAN --- (outside) ASA5506 (inside) --- 10.150.128.0/24 seen from MY LAN (but really 192.168.1.x/24)

My config:

interface GigabitEthernet1/1
nameif RK-LAN
security-level 100
ip address 10.100.20.20 255.255.252.0
!
interface GigabitEthernet1/2
nameif CTS-LAN
security-level 100
ip address 192.168.1.1 255.255.255.0

object network CTS-LAN
subnet 192.168.1.0 255.255.255.0
object network CTS-LAN-nat
subnet 10.150.128.0 255.255.255.0
access-list ALLOW-ALL extended permit ip any any

nat (CTS-LAN,RK-LAN) source static CTS-LAN CTS-LAN-nat

route RK-LAN 0.0.0.0 0.0.0.0 10.100.20.1 1

RK-ASA-CTS# sh xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from CTS-LAN:192.168.1.0/24 to RK-LAN:10.150.128.0/24
flags sT idle 43:32:35 timeout 0:00:00
NAT from RK-LAN:0.0.0.0/0 to CTS-LAN:0.0.0.0/0
flags sIT idle 43:32:35 timeout 0:00:00

RK-ASA-CTS# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ALLOW-ALL; 1 elements; name hash: 0x141503bb
access-list ALLOW-ALL line 1 extended permit ip any any (hitcnt=52) 0x381ae15c

I'm trying with my laptop (192.168.1.5) on the CTS-LAN to ping IP: 10.100.20.1 on the RK-LAN

What did I miss?

Best regards

Re: ACL on ASA5506 issue

Rob Ingram — Thu, 17 Dec 2020 10:22:00 GMT

Hi @Ditlev Weinreich

What direction and on what interface(s) is that ACL applied?

Does the destination 10.100.20.1 have a route back to 10.150.128.0/24 via the ASA?

Run a packet-tracer from the CLI and provide the output

Re: ACL on ASA5506 issue

Ditlev Weinreich — Thu, 17 Dec 2020 11:33:30 GMT

Hi Rob

Thanks for taking your time to reply.

My test-setup right now is:

Laptop (10.100.20.1/22 - Default Gateway: 10.100.20.20) --- (outside/RK-LAN/10.100.20.20/22) ASA (inside/CTS-LAN/192.168.1.1/24) --- Laptop (192.168.1.5/24 - Default Gateway: 192.168.1.1)

So to answer your question, then yes. Since both of my laptops have default gateways pointing to the ASA interfaces, then the route to 10.150.128.0/24 should be handled in the ASA.

RK-ASA-CTS# packet-tracer input CTS-LAN tcp 192.168.1.5 1234 10.100.20.1 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.20.1 using egress ifc RK-LAN

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
output-interface: RK-LAN
output-status: up
output-line-status: up
Action: drop

Best regards

Re: ACL on ASA5506 issue

Rob Ingram — Thu, 17 Dec 2020 11:49:07 GMT

Is that all the output of packet-tracer? What ASA version are you running?

Please provide the full configuration for review

Re: ACL on ASA5506 issue

Ditlev Weinreich — Thu, 17 Dec 2020 11:55:06 GMT

Well,... this I don't understand.

With the setup described above, I get no hits on the ACL.

Both laptops are pinging the opposite laptop.

Laptop1 (10.100.20.1) pinging: 10.150.128.5

Laptop2 (192.168.1.5) pinging: 10.100.20.1

RK-ASA-CTS# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ALLOW-ALL; 1 elements; name hash: 0x141503bb
access-list ALLOW-ALL line 1 extended permit ip any any (hitcnt=0) 0x381ae15c
RK-ASA-CTS# packet-tracer input CTS-LAN tcp 192.168.1.5 1234 10.100.20.1 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.20.1 using egress ifc RK-LAN

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
output-interface: RK-LAN
output-status: up
output-line-status: up
Action: drop

RK-ASA-CTS#

But when I connect my C3560CX instead of Laptop1, then I get hits on the ACL, but still no reply. The C3560CX has a dedicaded VLAN and interface, configured with same IP as Laptop1 - just without the route to 10.150.128.0/24.

I just saw your reply. I'll send complete config in my next reply.

Re: ACL on ASA5506 issue

Ditlev Weinreich — Thu, 17 Dec 2020 11:57:56 GMT

Complete config

RK-ASA-CTS# sh run
: Saved

:
: Serial Number: JAD202005WX
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname RK-ASA-CTS
domain-name CTS
enable password dgeB1J.VYUHUcYTL encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
nameif RK-LAN
security-level 100
ip address 10.100.20.20 255.255.252.0
!
interface GigabitEthernet1/2
nameif CTS-LAN
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 0
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name CTS
object network CTS-LAN
subnet 192.168.1.0 255.255.255.0
object network CTS-LAN-nat
subnet 10.150.128.0 255.255.255.0
access-list ALLOW-ALL extended permit ip any any
pager lines 24
mtu RK-LAN 1500
mtu CTS-LAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (CTS-LAN,RK-LAN) source static CTS-LAN CTS-LAN-nat
access-group ALLOW-ALL global
route RK-LAN 0.0.0.0 0.0.0.0 10.100.20.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.20.40.0 255.255.255.0 RK-LAN
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.20.40.0 255.255.255.0 RK-LAN
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password DzZkG9zknNTbolp4 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:360d62599d071045a47c6cace21a6715
: end

Re: ACL on ASA5506 issue

Rob Ingram — Thu, 17 Dec 2020 12:00:25 GMT

You've got the same security-level on both interfaces. Use the command same-security-traffic permit inter-interface. This allows traffic to enter an interface and exit from another interface of the same security level.

Re: ACL on ASA5506 issue

Ditlev Weinreich — Thu, 17 Dec 2020 12:03:32 GMT

AAAAAH. Thank you so much.