topic Re: Help with command line access list in Network Security

Help with command line access list

Andrew White — Mon, 11 Mar 2019 23:42:05 GMT

Hello,

I use the ASDM for lots of work onour ASA, but I want to start using the CLI to add access lists.

I just created a rul onthe ASDM and looked at the syslog server and the command it used was:

access-list outside_access_in line 321 extended permit tcp object-group DM_INLINE_NETWORK_333 host 172.22.1.4 object-group DM_INLINE_TCP_87

On the ASDM all I did was create one rule containing 2 source IP's (192.168.1.10 and 192.168.168.1.20) to get to 172.22.1.4 on ports 80 and 443, how would write this in CLI for one rule, as the ASA seems to create these straneg DM_INLINE groups?

Thanks

Re: Help with command line access list

Jouni Forss — Tue, 14 Aug 2012 11:55:52 GMT

Hi,

DM_INLINE are object-groups created by the ASDM when you insert more than one IP/network/port into a section in the ASDM configurations

Best way to check what the ASDM does is to do the following

Open ASDM and open the "Tools" in the toolbar and click on "Preferences"

Now check the appropriate box to make it so that ASDM will always preview the CLI format of the configurations to you before sending to the device

Since you checked the inserted command from log I think you probably missed the messages about the ASA creating the object-groups.

Personally I never use ASDM for access rules. I always make the object-groups and ACLs on the CLI side. Same for NAT configurations.

Hope this was helpfull

- Jouni

Re: Help with command line access list

Jouni Forss — Tue, 14 Aug 2012 12:06:45 GMT

Hi,

And to answer your actual question of how to write the rule on the CLI, you can do several ways

Option 1.

access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 80

access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 443

access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 80

access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 443

Option 2.

object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)

network-object host 192.168.1.10

network-object host 192.168.1.20

access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 80

access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 443

Option 3.

- This is basically what the ASDM did but with "ugly" object-group names

object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)

network-object host 192.168.1.10

network-object host 192.168.1.20

object-group service HTTP-HTTPS tcp

port-object eq www

port-object eq https

access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 object-group HTTP-HTTPS

- Jouni

Help with command line access list

Andrew White — Tue, 14 Aug 2012 13:17:57 GMT

Probably the best reply I have ever had to a forum post, thanks very much!

I'm going to start using this. The only issue I have sometimes is finding access rules in the command line to edit as we have so many, do you have any usefulcommands to use to locate an access list?

Thanks again

Re: Help with command line access list

Jouni Forss — Tue, 14 Aug 2012 13:37:50 GMT

Hi,

Can you give some example situation where you are facing problems usually?

Here are some command I use when checking access-lists

show run access-group
- This command lists all the access-lists that are attached to an interface on the firewall
- Example of output could be: access-group INSIDE-IN in interface inside. Which would tell that an access-list with the name INSIDE-IN is attached on the interface named "inside" in the direction "in". In other words it would check traffic that is arriving towards the interface.
show run access-list
- Shows the access-list in short form. It doesnt show the IP addressses/networks configured under object-groups.
show access-list
- Shows the WHOLE access-list. It shows a ACL line (ACE) as several rows if there ACE contains object-groups
show run object-group
- Shows all object-groups configured on the device
show run object-group id
- Shows the configurations for only the object-group defined in the command
show access-list | include x.x.x.x OR show access-list | include x.x.x.x
- Shows all access-list lines in certain named access-lists or all access-lists that contain the IP address x.x.x.x

Also if you are familiar with the packet-tracer on the ASDM side, you can use it on the CLI side too. With the command "packet-tracer". The format is as follows

packet-tracer input

When you issue the command the output on the CLI will mention the access-list line that the traffic matches to and this way can help you locate some access-list statement, if you didnt already find it with the above commands.

Those are the things that I think of right now.

- Jouni

Re: Help with command line access list

Andrew White — Thu, 16 Aug 2012 10:42:30 GMT

My apologies for the delay, I didn't get the auto email reply saying someone has replied.

THis is really useful, the only issue I had was how amend a rule on a line, for example I have loads of rules like this:

access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 80

access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 443

access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 139

How would I add?

access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 445

as it seemed to add it on a new line 178

Packet tracer is great I use this alot and packet capture, but I didn't know you can bind it to your local Wireshark, I normally export and import in to Wireshark.

Thanks

Re: Help with command line access list

Jouni Forss — Thu, 16 Aug 2012 10:53:35 GMT

Hi,

It seems to me that the 3 lines of ACL that you have copy pasted are actually part of a single ACE which contains object-groups

Notice the "line 177" in each of the lines.

Though still if you use the line number 177 with new configuration it should bump the old line 177 configuration to line 178

To start viewing the access-list in question from line 177 you can do this

show access-list inside_access_in | begin line 177

The first output line in the configuration should be the actual configuration that contains object-groups. If theres an object-group for the services/ports opened you might be able to add the line in question just by adding the port to the same group with the other. (80,139,443)

If you need to add some network or remove some network from that line you need to modify the network-objects under the object-groups.

Also heres a small example of the situation I'm talking about above

object-group used in ACL

object-group network LAN

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

The actual ACL configuration line
- show run access-list TEST

access-list TEST extended permit ip object-group LAN any

The same ACL in "opened" form
- show access-list TEST

access-list TEST; 3 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99

access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3

Remove one network from the object-group and look at the ACL
- object-group network LAN
  - no network-object 10.10.10.0 255.255.255.0
- show access-list TEST

access-list TEST; 2 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99

access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3

- Jouni

Re: Help with command line access list

Andrew White — Thu, 16 Aug 2012 10:55:54 GMT

Also I'm not sure how to search for this, but I used one of your search commands to find a rule that contained IP 192.168.20.90 and it didn't find it. But on the ASDM I noticed it was in a group, so I guess it woudl be in one of those DM_INLINE groups.

How woudl I search for an IP in a rule if it is hidden in one of those DM_INLIE groups?

Thanks

Re: Help with command line access list

Jouni Forss — Thu, 16 Aug 2012 10:59:30 GMT

Hi,

If you use the "show access-list" format of the command it should open up all the object-groups in the ACL.

If you use "show run access-list" format of the command it doesnt show the IP addresses under the object-groups.

Using the access-list I created in the above message as an example:

show run access-list TEST

access-list TEST extended permit ip object-group LAN any

show access-list TEST

access-list TEST; 3 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99

access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3

- Jouni