topic Hi, So as you can see both of in Network Security

Cleaning up Access Lists

Steven Couture — Tue, 26 Mar 2019 00:53:47 GMT

Here is an access list I want to know if I can "clean up" :

access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
access-list outside_access_in extended permit object RDP any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in_1 extended permit object RDP any object FileServer
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
access-list outside_access_in_1 extended permit icmp any object DattoDevice
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248

What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical? I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......

Hi, To my understanding the

Jouni Forss — Mon, 01 Sep 2014 11:53:02 GMT

Hi,

To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.

The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.

I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command

show run access-group

You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.

The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.

Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.

The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.

The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.

At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.

You can check what is in use with the command

show run crypto map

Hope this helps 🙂

- Jouni

Yes - thank you - I am sure

Steven Couture — Mon, 01 Sep 2014 12:39:11 GMT

Yes - thank you - I am sure you can tell I am a newbie, and I appreciate your patience to help me learn - here is what I have found:

Result of the command: "show run access-group"

access-group outside_access_in_1 in interface outside

Result of the command: "show run crypto map"

crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 216.203.80.110
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

I am using software version 8

Steven Couture — Mon, 01 Sep 2014 12:48:30 GMT

I am using software version 8.4(7)3 and can send you the full running config if you want....

Hi, So as you can see both of

Jouni Forss — Mon, 01 Sep 2014 12:50:40 GMT

Hi,

So as you can see both of the ACLs which have the "_1" at the end of their names are used in the actual configuration at the moment. So the ACLs named similiarly but WITHOUT the "_1" are not used at the moment.

The change in the naming is as I said probably due to configurations made on the ASDM (GUI) when you have made new ACL for the purpose of the L2L VPN and the "outside" interface. The firewall simply creates a new ACL and because it cant be the same name it just add a number at the end with the "_"

With regards to the ACL attached to the "outside" interface I would simply suggest that you confirm does the current ACL allow all the connections that you need? If everything is working as intended then there is no need to change the current ACL. If something is not working then I would check if the old ACL that is not in use has something that is missing from the current ACL. Naturally if the current ACL has something that is not needed you can remove those ACL lines from the configuration.

With regards to the ACL used in the "crypto map" configurations I would again ask is the L2L VPN working as expected? Is the connection UP and are you able to connect to all the resources required? If its working then I would not naturally touch the ACL. You can remove the ACL that is not in use by the "crypto map" configurations.

- Jouni

Everything is working fine -

Steven Couture — Mon, 01 Sep 2014 13:04:30 GMT

Everything is working fine - just looking to clean things up in preparation for an outside static IP address change in the near future as we plan to change ISP's.