topic Re: access list rule not working in Network Security

access list rule not working

Dragomir — Tue, 12 Mar 2019 02:15:35 GMT

I have an extended access-list rule that is #1 in poistion on the external access list

access-list acl-outside line 1 extended permit tcp host x.x.x.x host a.b.c.d eq 5723

access-list acl-outside line 2 extended permit tcp host x.x.x.y host a.b.c.e eq 5723

but when i telnet from x.x.x.x to a.b.c.d to 5723

it does not listen or respond.

internally i verified that the ports is listening on the host.

The ip of the internal ip is natted to the external ip a.b.c.d

any idea?

access list rule not working

Jouni Forss — Mon, 22 Jul 2013 21:49:51 GMT

Hi,

Well the first thing to do would be to use the "packet-tracer" to check what it says would happen to such a connections

packet-tracer input outside tcp x.x.x.x 12345 a.b.c.d 5723

This should tell us if all the configurations are ok. For example that we are matching the correct NAT configuration and ACL rule.

If everything seems fine (share the output) then you should probably test the connection from the external network and monitor the syslogs and check that you see the Building and Teardown messages of the TCP connection. Furthermore look at what the termination reason of the connection is in the Teardown message.

There could be several reasons the connections isnt coming up even though the firewall configurations are ok

No default route on the host
Other routing problem from the host back to the external network
Software firewall blocking the connection attempt
Some other device in between blocking the connection attempt
Service not enabled on the host
etc

One "last" option is ofcourse to take a traffic capture on the ASA and confirm if the traffic is heading to the host and if anything is coming back while the TCP connection is being formed.

- Jouni

access list rule not working

Julio Carvajal — Mon, 22 Jul 2013 21:51:13 GMT

So you are running a version lowe than 8.3 right?

Remember that after 8.3 you now poing to the private ip addresses of the devices.

To be sure this is not a FW issue

capture capout interface outside match tcp host x.x.x.x host a.b.c.d_public eq 5723

capture capin interface inside match tcp host x.x.x.x host a.b.c.d_Private eq 5723

Then try to connect once and share

show cap capout

show cap capin

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

access list rule not working

Dragomir — Mon, 22 Jul 2013 22:00:23 GMT

packet-tracer input outside tcp x.x.x.x 12345 a.b.c.d 5723

12345 is the source port of the source ip? I dont know what the source port will be

access list rule not working

Dragomir — Mon, 22 Jul 2013 22:01:23 GMT

capture capout interface outside match tcp host x.x.x.x host a.b.c.d_public eq 5723

when i do this it says incomplete command

Hostname or A.B.C.D Destination IP address

any Abbreviation for destination address and mask of 0.0.0.0

0.0.0.0

host Use this keyword to configure destination host

Re: access list rule not working

Jouni Forss — Mon, 22 Jul 2013 22:03:01 GMT

Hi,

You dont really need to know the source port. The source port is irrelevant. As you see you have not defined any specific source port in the ACL so any source port is allowed. The port 12345 is just an example source port as the connection/packet simulated needs to have one.

- Jouni

access list rule not working

Dragomir — Mon, 22 Jul 2013 22:09:13 GMT

I ran the packet tracer and came up with this result

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

access list rule not working

Jouni Forss — Mon, 22 Jul 2013 22:12:27 GMT

Hi,

It would be good to see the full output of the command.

But if that is all that can be seen then it would seem to point out that the ASA configurations are fine and the problems and the problem is somewhere else.

The next thing would be to look at the ASA logs while attempting the connection. ASDM would probably be the easiest way if you have not set up a Syslog server to which the ASA sends the logs.

- Jouni

access list rule not working

Dragomir — Mon, 22 Jul 2013 23:14:35 GMT

i did both captures and there are no packets captured

show capture capout

0 packet captured

0 packet shown

show capture capin

0 packet captured

0 packet shown

access list rule not working

Jouni Forss — Mon, 22 Jul 2013 23:19:55 GMT

Hi,

Either the capture was configured with incorrect IP addresses or there was simply no traffic from the public/external network that ever reached the ASA.

- Jouni

access list rule not working

Dragomir — Mon, 22 Jul 2013 23:21:48 GMT

i initiated the traffic from x.x.x.x with a telnet public_ip 5723

but there was no response.

I am able to ping the ip from x.x.x.x

access list rule not working

Julio Carvajal — Mon, 22 Jul 2013 23:31:05 GMT

If you generate the traffic and you do not see anything on the capture then as Jounni said traffic is not getting to the ASA, it´s being block somewhere else....

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

access list rule not working

Dragomir — Mon, 22 Jul 2013 23:42:02 GMT

how do I find out the telnet connection from the source to the destination from the logs?

access list rule not working

Julio Carvajal — Mon, 22 Jul 2013 23:43:58 GMT

show logging | include x.x.x.x (Source IP address)

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

access list rule not working

Jouni Forss — Mon, 22 Jul 2013 23:45:37 GMT

Hi,

I would probably start by logging into the ASDM management and go to the Monitoring sections and open logging. Then you could attempt the connections and see if any connection attempts are getting denied.

Since you already configured a packet capture and we got no hits, that would mean that either the capture was configured with the wrong IP addresses or simply no traffic reached your ASA.

Since you say that ICMP works it would seem more likely to me that the traffic might be coming from a different source IP address than the one configured in the ACL rules perhaps?

- Jouni

Re: access list rule not working

Dragomir — Tue, 23 Jul 2013 04:08:24 GMT

yes I am logged into the adsm. all icmp traffic i can see being logged. but telnetting to port 5723 is not. I actually aleady see an access list ule allow all traffic from the source ip subnet to this ip.

I was able to telnet to port 80 and it worked. but not 5723. any ideas?

but even telnetting to port 80 shows no logging traffic

Re: access list rule not working

Dragomir — Tue, 23 Jul 2013 04:45:07 GMT

when i telnet to port 443 of th public ip, I get something like

Teardown TCP connection 319711461 for outside: 1.1.1.1/49632 to inside 2.2.2.2/443 duration 0:00:00 bytes 0 TCP Reset-I

but whne i telnet to port 80 or 5723, nothing happens and no logging occurs

access list rule not working

Jouni Forss — Tue, 23 Jul 2013 12:00:26 GMT

Hi,

Well without seeing any actual configurations it would seem that your connections simply arent reaching the ASA if its not logging anything.

The above log message indicates that the connection was immediately reset by the internal host/server. So it refused the connection by sending TCP Reset.

- Jouni