topic Re: Additional IP traffic for same TCP bi-directional traffic have to be allowed in ACLs on ASA? in Network Security

Additional IP traffic for same TCP bi-directional traffic have to be allowed in ACLs on ASA?

CiscoBrownBelt — Fri, 21 Feb 2020 16:59:19 GMT

While looking at Wireshark captures for users who use some APP on a machine which communicates with some remote server, I noticed multiple remote IPs. Would these IPs need to be added to an ACL as well if it is part of the same TCP connection?

Re: Additional IP traffic for same TCP bi-directional traffic have to be allowed in ACLs on ASA?

Rahul Govindan — Wed, 27 Mar 2019 21:58:19 GMT

Yes. ASA build 5 tuple connections based on Source IP, Destination IP, Protocol, Source Port and Destination Port. If any of these is different in a packet, it counts as a new connection. Your ACL's would need to be built accordingly.

Re: Additional IP traffic for same TCP bi-directional traffic have to be allowed in ACLs on ASA?

Dennis Mink — Wed, 27 Mar 2019 22:49:21 GMT

bluebelt,

what does your acl look like that permits this traffic? and, if the destination changes, it is not part of the same connection anymore.

Re: Additional IP traffic for same TCP bi-directional traffic have to be allowed in ACLs on ASA?

CiscoBrownBelt — Thu, 28 Mar 2019 00:54:11 GMT

So basically there is a rule as such:
ip access-list inside_in extended permit object-group server_ports 100.1.1.50 255.255.255.0 object-group remote_servers
and another rule like:
access-list inside_in extended permit object-group internet_ports object-group internal_lan any
The thing is when traffic is initiated it hits the first second rule but I would really like it it hit the first rule. Server_ports just has a bunch of different ports and remote_servers has a bunch of server host IPs.
My guess is it is using the 2nd rule because not all the IPs that are used by the remote servers are part of that group and same goes for the server_ports group not having all the ports - the second rule has an any statement. I am basically trying to determine what all IPs and ports are required during this remote server application communication and edit the first rule. Am I making sense?

Re: Additional IP traffic for same TCP bi-directional traffic have to be allowed in ACLs on ASA?

CiscoBrownBelt — Thu, 28 Mar 2019 00:55:59 GMT

Awesome!

So basically there is a rule as such:
ip access-list inside_in extended permit object-group server_ports 100.1.1.50 255.255.255.0 object-group remote_servers
and another rule like:
access-list inside_in extended permit object-group internet_ports object-group internal_lan any
The thing is when traffic is initiated it hits the first second rule but I would really like it it hit the first rule. Server_ports just has a bunch of different ports and remote_servers has a bunch of server host IPs.
My guess is it is using the 2nd rule because not all the IPs that are used by the remote servers are part of that group and same goes for the server_ports group not having all the ports - the second rule has an any statement. I am basically trying to determine what all IPs and ports are required during this remote server application communication and edit the first rule. Am I making sense?