topic Re: ASA 5506 Access List Problem in Network Security

ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 18:23:11 GMT

Hello Cisco Community,

I am trying to allow port 80 through a ASA 5506 firewall from my DMZ to a INTERNAL zone for a HTTP server. I am having a problem with the access list, and have encountered a strange problem.

The ip address of my HTTP server is 192.168.2.1. When i use the access list command:

access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any gt www

It works fine, however when i use the command equal to www:

access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www

It drops the HTTP packets, and doesn't allow it through the firewall. Does anyone know why?

I'm applying the access list to the DMZ 'in' interface.

access-group WEB-INSIDE in interface DMZ

I have attached two packet tracer files to demonstrate a working and non-working configuration. I may be doing something wrong. Thank you.

Re: ASA 5506 Access List Problem

MHM Cisco World — Tue, 20 Dec 2022 17:58:55 GMT

access-list WEB-INSIDE extended permit tcp any host 192.168.2.1 eq www

this right one I think to make OUT host access to server IN.

Re: ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 18:13:46 GMT

Hi MHM,

Thank you for your reply. I tried to implement your suggestion but couldn't get it to work. I thought I had the source/destination the right way round, but i may have it wrong. I don't use access lists very often.

It is strange because when i use the command:

access-list WEB-INSIDE extended permit icmp host 192.168.2.1 any

ICMP packets don't get dropped and ping works fine. Do you have any other suggests?

Re: ASA 5506 Access List Problem

Rob Ingram — Tue, 20 Dec 2022 18:31:43 GMT

Edit - mis-read the question.

Re: ASA 5506 Access List Problem

MHM Cisco World — Tue, 20 Dec 2022 18:17:40 GMT

can I see full config ?

Re: ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 18:29:15 GMT

Yes, I have attached the packet tracer files, but i'll paste the configuration here too.

Here's a photo of the config:

ASA Firewall config:

interface GigabitEthernet1/1

nameif INSIDE

security-level 100

ip address 192.168.1.254 255.255.255.0

interface GigabitEthernet1/2

nameif DMZ

security-level 50

ip address 192.168.2.254 255.255.255.0

interface GigabitEthernet1/3

nameif OUTSIDE

security-level 0

no ip address

shutdown

object network DMZ-WEB

host 192.168.2.1

nat (DMZ,OUTSIDE) static 1.1.1.1

object network INSIDE

subnet 192.168.1.0 255.255.255.0

nat (INSIDE,OUTSIDE) dynamic interface

access-list WEB-INSIDE extended permit icmp host 192.168.2.1 any

access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www

access-group WEB-INSIDE in interface DMZ

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

service-policy global_policy global

Re: ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 18:32:01 GMT

Hi Rob, thank you for your reply.

From what you're describing it sounds like I have it set up correctly. (I think).

I have added the access list to the DMZ in interface with this command.

access-group WEB-INSIDE in interface DMZ

and i'm using the 'eq www' in the access list.

access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www

Re: ASA 5506 Access List Problem

MHM Cisco World — Tue, 20 Dec 2022 18:39:54 GMT

no need any access list,
since initiate traffic from the high security IN =100 to DMZ low =50.

for ICMP you need

policy-map global_policy

class inspection_default
inspect icmp <<- this what you need

Re: ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 19:03:40 GMT

Will that work for port 80 and 443 if i want https, or just for icmp?

Re: ASA 5506 Access List Problem

MHM Cisco World — Tue, 20 Dec 2022 19:25:23 GMT

I will run lab for you and check your config.
update you today.

Re: ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 19:43:24 GMT

Thank so much.

Re: ASA 5506 Access List Problem

Rob Ingram — Tue, 20 Dec 2022 20:26:52 GMT

@Tom101 are you actually trying to allow traffic from the INSIDE network to the HTTP server (192.168.2.1) on port tcp/80 in the DMZ? If so, remove the access-group from the DMZ - "no access-group WEB-INSIDE in interface DMZ"

Your question reads the other way around (traffic initiated from DMZ to INSIDE) and your ACL implies communication is initiated from DMZ to INSIDE.

Re: ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 20:30:36 GMT

Oo i see, ok thank you Rob. I'm trying to allow my PC from the INSIDE network to access the HTTP website on the server in the DMZ.

Re: ASA 5506 Access List Problem

Rob Ingram — Tue, 20 Dec 2022 20:34:09 GMT

@Tom101 then you ACL is incorrect, you don't need to apply the ACL to the DMZ interface. Remove it.

no access-group WEB-INSIDE in interface DMZ
no access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www

Traffic will be permitted from INSIDE to DMZ as default as the INSIDE interface has a higher security-level than the DMZ interface.

Re: ASA 5506 Access List Problem

MHM Cisco World — Tue, 20 Dec 2022 21:18:35 GMT

as I mention before since the traffic from High to low security level (from 100 to 50) no need any ACL
then what is issue ??

ISSUE is PKT limit you need to first
1- no policy-map global_policy
2-no service-policy global_policy global
3-
policy-map global_policy

class inspection_default

inspect http <<- add this

inspect icmp <<- add this

4-service-policy global_policy global

and as you see I can access HTTP in DMZ without any issue
see I change the hello message to be welcome to MHM

Re: ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 21:20:01 GMT

Hi Rob, am i right in saying that the default security-level rule will only work when there is no other access list bound to an interface? So if I was to extend the network and add additional access list rules, would that stop working? What access-list rule would I need if that was the case?

Also, I deleted the access-group and access-list and I still cannot get it to work. The ICMP ping will reach the HTTP web server, but the firewall will not allow it back into the inside network.

Re: ASA 5506 Access List Problem

Tom101 — Tue, 20 Dec 2022 23:52:23 GMT

Thank you for trying. Still cannot get it working on my computer. I have tried multiple times - starting with a new 5506 firewall. It works perfectly on the 5505 with the same config, but not on the 5506 firewall. I am on a arm computer, so might be something to do with that.

Re: ASA 5506 Access List Problem

MHM Cisco World — Wed, 21 Dec 2022 00:05:02 GMT

only repeat same step I mention above and it will work.

Re: ASA 5506 Access List Problem

Tom101 — Wed, 21 Dec 2022 01:56:17 GMT

Finally, got it to work thank you. There seems to be a bug with packet tracer saving the global policy-map. It does not always register it on my computer, and then when i restart packet tracer it restores it to default. Even when using 'Write memory' and 'copy running-config startup-config'.

Re: ASA 5506 Access List Problem

MHM Cisco World — Wed, 21 Dec 2022 08:34:38 GMT

You are so so welcome friend any time.