topic ACL Problem with firewall in Network Security

ACL Problem with firewall

azizur-rahman — Tue, 12 Mar 2019 07:07:06 GMT

Hi,

I am configuring a firewall which has four zones:

1. DC-INSIDE (security-level 50)

2. DC-OUTSIDE (security-level 50)

3. DC-DMZ-ZONE (security-level 90)

4. DC-SERVER-ZONE (security-level 100)

I created the below ACLs for all users can access all zones:

access-list DC-OUTSIDE_ACCESS_IN extended permit ip any any
access-list DC-INSIDE_ACCESS_IN extended permit ip any any
access-list DC-DMZ-ZONE_ACCESS_IN extended permit ip any any
access-list DC-SERVER-ZONE_ACCESS_IN extended permit ip any any

access-group DC-OUTSIDE_ACCESS_IN in interface DC-OUTSIDE
access-group DC-INSIDE_ACCESS_IN in interface DC-INSIDE
access-group DC-DMZ-ZONE_ACCESS_IN in interface DC-DMZ-ZONE
access-group DC-SERVER-ZONE_ACCESS_IN in interface DC-SERVER-ZONE

Problems:

1. I cannot access DC-INSIDE to DC-OUTSIDE

2. I cannot access DC-SERVER-ZONE to DC-OUTSIDE

3. I cannot access DC-DMZ-ZONE to DC-OUTSIDE

***(N.B.: I only get access DC-OUTSIDE to DC-INSIDE and DC-OUTSIDE to DC-SERVER-ZONE)

Is there any mistake in ACLs?

If there is any mistake, please let me know and suggest me the solution.

Thanking You-

Azizur Rahman

Hi Azizur,

gaowen — Wed, 06 Jan 2016 18:20:05 GMT

Hi Azizur,

By default the ASA will not permit traffic between interfaces (or sub-interfaces) with the same security level, or for that matter hairpin traffic. You can either change the security levels of the interfaces or use the 'same-security-traffic permit inter-interface' command in global config mode. This will solve your DC-INSIDE to DC-OUTSIDE problem.

as for your other problems ensure routing is in place and I recommend using the 'packet-tracer' command to see where the problem lies.

Gareth

Yes Gareth,

azizur-rahman — Wed, 06 Jan 2016 18:32:31 GMT

Yes Gareth,

I know that by default the ASA will not permit traffic between interfaces (or sub-interfaces) with the same security level. To communicate between two same security level zone, I use "same-security-traffic permit inter-interface" commend.

Gareth, one thing I would like to mention that I can access (ping) DC-OUTSIDE to DC-INSIDE and both are in same security level (50). So I think it is working. but I cannot get ping DC-INSIDE to DC-OUTSIDE, DC-SERVER-ZONE to DC-OUTSIDE and DC-DMZ-ZONE to DC-OUTSIDE.

Thanking You-

Azizur Rahman

Hi Azizur,

gaowen — Wed, 06 Jan 2016 18:35:54 GMT

Hi Azizur,

Could you post interface configurations and 'show route' and 'show arp' output please? also what are the addresses of the devices on each interface you are trying to ping from/to?

thanks,

Gareth

Hi Gareth,

azizur-rahman — Wed, 06 Jan 2016 19:08:02 GMT

Hi Gareth,

Please find the attachments.

Ping Test:

1. From 10.10.3.3 to 10.10.1.1===ok

2. From 10.10.1.1 to 10.10.3.3, 10.10.3.5 (standby)===Not ok

3. From 10.10.3.3 to 10.10.2.1===ok

4. From 10.10.2.1 to 10.10.3.3===Not ok

5. From 10.10.3.3 to 192.168.102.254===ok

6. From 192.168.102.254 to 10.10.3.3===not ok

Thanking You-

Azizur Rahman

Hi Azizur,

gaowen — Wed, 06 Jan 2016 19:22:00 GMT

Hi Azizur,

Could you run the commands:

packet-tracer input DC-INSIDE tcp 10.10.1.1 50000 10.10.3.3 443 detailed

packet-tracer input DC-INSIDE tcp 10.10.2.1 50000 10.10.3.3 443 detailed

packet-tracer input DC-INSIDE tcp 192.168.102.254 50000 10.10.3.3 443 detailed

and post the output please?

Gareth

apply this command:

sarabsin — Wed, 06 Jan 2016 20:33:09 GMT

apply this command:

same-security permit inter-interface

Thanks,

Sarabjit

Please rate it if helpful.

ignore my previous comments ,

sarabsin — Wed, 06 Jan 2016 20:37:45 GMT

ignore my previous comments , it already has been suggested.