topic Re: Help with basic access lists. in Network Security

Help with basic access lists.

ukdkbr1234 — Tue, 12 Mar 2019 02:49:24 GMT

Hi,

We have an ASA 5515 and we have a pretty basic setup, one ousite interface, one inside. We have a remote DVR setup at a location, we need to view the DVR through viewing software that communicates to the DVR over port 2000.

I setup an access list to allow all outside traffic over tcp/2000 through to an entire vlan:

access-list outside-in extended permit tcp any 192.168.6.0 255.255.255.0 eq 2000

It still seems to be blocking all port 2000 traffic, do I need to setup a NAT from the outside interface to this vlan?

Help with basic access lists.

Jouni Forss — Wed, 09 Oct 2013 16:32:11 GMT

Hi,

Are you saying that the DVR is on a site where there is an ASA5515-X and users need to contact the DVR from the external network through the ASA with destination port TCP/2000 ?

Then you will need Static PAT (Port Forward) atleast

object network DVR

host

nat (inside,outside) static interface service 2000 2000

access-list outside-in permit tcp any object DVR eq 2000

- Jouni

Help with basic access lists.

ukdkbr1234 — Wed, 09 Oct 2013 16:33:26 GMT

Other way around, the dvr is not behind the asa, the users attempting to connect to it are.

Re: Help with basic access lists.

Jouni Forss — Wed, 09 Oct 2013 16:38:25 GMT

Hi,

Well in that case you will only need the basic Dynamic PAT configuration with regards to NAT. I assume this is already in place as otherwise no external connection from your LAN would not work.

I dont see how your ACLs are configured and attached to interfaces but judging from its name the ACL in question might be attached with the following command

access-group outside-in in interface outside

If so, then this ACL only controls connections initiated from behind the "outside" interface.

If you have an ACL attached to the "inside" interface then you would have to make sure the traffic is allowed in that ACL

You can test the rules/configurations applied to the traffic with the "packet-tracer" command

packet-tracer input tcp 12345 2000

This should simulate and tell us what would happen to a connection coming from your LAN through the ASA towards the DVR with destination port TCP/2000. Naturally you will have to replace the above with some LAN user IP address.

- Jouni

Re: Help with basic access lists.

ukdkbr1234 — Wed, 09 Oct 2013 16:48:19 GMT

>I dont see how your ACLs are configured and attached to interfaces but judging from its name the ACL in question might >be attached with the following command

>access-group outside-in in interface outside

Yes that is correct. I ran the packet-tracer command as you suggested and it appear that it allows everything.

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Yet I still can't seem to get this to connect. If I connect the workstation to a connection that is not behind the ASA it connects without issue.

Help with basic access lists.

Jouni Forss — Wed, 09 Oct 2013 16:53:19 GMT

Hi,

I would probably monitor the logs while connecting to see if anything gets blocked or if the connections get through what happens to them when the logs show the "Teardown" message for the connections. This is probably easiest done through the ASDM monitor/logging section.

- Jouni

Re: Help with basic access lists.

Anas Hijjawi — Wed, 09 Oct 2013 17:00:26 GMT

Check if you have route for DVR on the ASA, and that you have a route to the 192.168.6.0/24 subnet on the DVR L3 device

Help with basic access lists.

Jouni Forss — Wed, 09 Oct 2013 17:06:11 GMT

Hi,

I got the picture atleast that the users are behind the ASA and the DVR is at some remote location.

If that is the case then there should already be a default route and I would imagine from the DVRs perspective should also be fine.

- Jouni

Re: Help with basic access lists.

Anas Hijjawi — Wed, 09 Oct 2013 17:10:48 GMT

Jouni, as he mentioned that he is allowing the traffic frm outside, then DVR should be Inside, defualt route on the FW will be to outside, and he needs to add a static route to DVR network through the Inside network

Help with basic access lists.

Jouni Forss — Wed, 09 Oct 2013 17:13:57 GMT

Though it was mentioned that the users are behind the ASA and I doubt they are behind the "outside" interface or it would be a pretty uncommon/wierd setup. Which again would mean that the DVR is behind the "outside" interface.

But again this would be clearer if could see actual configurations

- Jouni

Re: Help with basic access lists.

ukdkbr1234 — Wed, 09 Oct 2013 19:51:31 GMT

Yes, it's layed out like this:

DVR <-> Internet <-> ASA <-> users

I attached my config if that would give you a better idea of how we are setup, I removed the access-list for the port 2000 because it didn't make any difference and I wanted you to see the config before i edited it. Any other ideas?

Help with basic access lists.

Jouni Forss — Wed, 09 Oct 2013 20:18:25 GMT

Hi,

To be honest its a pretty basic configuration and the TCP/2000 connection should pass.

Only thing I can think of is that the port TCP/2000 is typically used to my understanding by VOIP Phones





2000
TCP
UDP
Cisco SCCP (Skinny)

So I am wondering if the "inspect skinny" is causing the traffic to drop?

If you dont have need for the "inspect skinny", remove it from the

policy-map global_policy

description Net Flow

class inspection_default

inspect skinny

- Jouni

Re: Help with basic access lists.

ukdkbr1234 — Wed, 09 Oct 2013 20:42:55 GMT

>So I am wondering if the

>"inspect skinny"

>is causing the traffic to drop?

Thank you thank you thank you!!!! That was indeed the issue!