topic INBOUND ACL in 8.6 code in Network Security

INBOUND ACL in 8.6 code

Jean Paul Enerst — Tue, 12 Mar 2019 02:09:02 GMT

Hi All,

I am not so familliar with 8.6 code and I am trying to give an outside host access to another host in the DMZ. I have have a NAT set for the host in the DMZ and in the ACL on the outside interface, i have used the local IP(192.168.x.x) in the ACL. I have defied my services(isakmp,esp,gre,ipsec).

When i do a show local host 192.168.x.x, i can see that there is an isakmp connection established

local host: <192.16x.2x.22>,

TCP flow count/limit = 0/unlimited

TCP embryonic count to host = 0

TCP intercept watermark = unlimited

UDP flow count/limit = 2/unlimited

Conn:

UDP outside 2x.2xx.x24.19x:500 dmz 192.16x.2x.22:500, idle 0:00:01, bytes 488, flags -

UDP outside 20x.9x.2xx.132:500 dmz 192.16X.2X.22:500, idle 0:00:00, bytes 1152, flags -

But adminstrator in the other end, keeps telling the tunnel is up! Packet-tracer also shows the packet drop after passing the NAT. But the output above shows isakmp connection in port 500. I also tried to test the port by telnet to the IP follow by the port number(192.16x.2x.22 500) with no luck.

There packet-tracer information as well...

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.16.200.0 255.255.255.0 dmz

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group from_outside in interface outside

access-list from_outside extended permit object-group Long_vpn_ser object-group DM_INLINE_NETWORK_4 object Long_vpn

object-group service Longview_vpn_ser

description: Services for Long VPN access

service-object gre

service-object esp

service-object ah

service-object udp destination eq isakmp

service-object tcp destination eq ssh

service-object object IPSEC

object-group network DM_INLINE_NETWORK_4

network-object host 2x.9x.2xx.13x

network-object host 21x.2xx.2x4.19x

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (dmz,outside) source static Long_vpn Long_pub

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any help will be greatly appreciate,

Thanks

INBOUND ACL in 8.6 code

Jouni Forss — Mon, 08 Jul 2013 19:13:48 GMT

Hi,

You are probably using the real IP address as the destination IP address of the "packet-tracer" command and that is why the ASA tells you that the simulated connection would fail the RPF check. Since on the way it doesnt hit any NAT rule but on the back out it hits a NAT rule.

Try the "packet-tracer" output with the public IP address if you want to accurately simulate the incoming packet.

- Jouni

INBOUND ACL in 8.6 code

Jean Paul Enerst — Mon, 08 Jul 2013 19:25:19 GMT

Hi Jouni,

I did figured this part out, but i still don't understans why the other end of the tunnel is up when in my ASA it shows up! Also as i mentioned above, i cannot test port 500 via telnet.Obivious something is wrong but the configuration so simple!

Thanks,

Eddy

INBOUND ACL in 8.6 code

Jouni Forss — Mon, 08 Jul 2013 19:30:19 GMT

Hi,

What is strange about the tunnel being up if everything is allowed and the reason the "packet-tracer" was failing was because the wrong IP address was used?

You cant test ISAKMP / UDP500 with Telnet as telnet is TCP and not UDP.

- Jouni

INBOUND ACL in 8.6 code

Jean Paul Enerst — Mon, 08 Jul 2013 19:39:46 GMT

Thanks for help, and did not realized that can't test UDP with this test. Although, i made the same test for ssh and still no access. Please see below in regards to the packet-tracer and result

INBOUND ACL in 8.6 code

Jean Paul Enerst — Mon, 08 Jul 2013 19:41:00 GMT

INBOUND ACL in 8.6 code

Jouni Forss — Mon, 08 Jul 2013 19:44:39 GMT

Hi,

You are still using the local IP address the destination.

The "packet-tracer" is meant to simulate the actual packet entering the ASA interface.

When you are testing traffic from the Internet then you will have to use the public NAT IP address as the destination naturally.

On the ACLs ofcourse the destination IP address is the local IP address because of the NAT and ACL format changes in the new software.

Hopefully this clears things up

Please do remember to mark a reply as the correct answer if it answered your question

Ask more if needed naturally

- Jouni