Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1230
Views
10
Helpful
4
Replies

Additional IP traffic for same TCP bi-directional traffic have to be allowed in ACLs on ASA?

CiscoPurpleBelt
Level 6
Level 6

‎03-27-2019 02:22 PM - edited ‎02-21-2020 08:59 AM

While looking at Wireshark captures for users who use some APP on a machine which communicates with some remote server, I  noticed multiple remote IPs. Would these IPs need to be added to an ACL as well if it is part of the same TCP connection?

0 Helpful
4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-27-2019 02:58 PM

Yes. ASA build 5 tuple connections based on Source IP, Destination IP, Protocol, Source Port and Destination Port. If any of these is different in a packet, it counts as a new connection. Your ACL's would need to be built accordingly. 

CiscoPurpleBelt
Level 6
Level 6
In response to Rahul Govindan

‎03-27-2019 05:55 PM

Awesome!

So basically there is a rule as such:
ip access-list inside_in extended permit object-group server_ports 100.1.1.50 255.255.255.0 object-group remote_servers
and another rule like:
access-list inside_in extended permit object-group internet_ports object-group internal_lan any
The thing is when traffic is initiated it hits the first second rule but I would really like it it hit the first rule. Server_ports just has a bunch of different ports and remote_servers has a bunch of server host IPs.
My guess is it is using the 2nd rule because not all the IPs that are used by the remote servers are part of that group and same goes for the server_ports group not having all the ports - the second rule has an any statement. I am basically trying to determine what all IPs and ports are required during this remote server application communication and edit the first rule. Am I making sense?
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎03-27-2019 03:49 PM

bluebelt,

 

what does your acl look like that permits this traffic?  and, if the destination changes, it is not part of the same connection anymore. 

 

 

Please remember to rate useful posts, by clicking on the stars below.

CiscoPurpleBelt
Level 6
Level 6
In response to Dennis Mink

‎03-27-2019 05:54 PM

So basically there is a rule as such:
ip access-list inside_in extended permit object-group server_ports 100.1.1.50 255.255.255.0 object-group remote_servers
and another rule like:
access-list inside_in extended permit object-group internet_ports object-group internal_lan any
The thing is when traffic is initiated it hits the first second rule but I would really like it it hit the first rule. Server_ports just has a bunch of different ports and remote_servers has a bunch of server host IPs.
My guess is it is using the 2nd rule because not all the IPs that are used by the remote servers are part of that group and same goes for the server_ports group not having all the ports - the second rule has an any statement. I am basically trying to determine what all IPs and ports are required during this remote server application communication and edit the first rule. Am I making sense?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card