cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


98
Views
0
Helpful
2
Replies
Highlighted
Beginner

How ACL behaves in the ASA v921?

Hi all,

I had a small incident or 5 min downtime on a site that is connected via VPN over the internet to the head office.  The infrastructure is that all sites including the Head office are terminated on ASA's.  The ASA will have a default route going to the ISP manage internet router.  All the sites traffic are encrypted and tunneled.

My question is that I have this ACL and NAT configured.

object-group network RFC1918
 description All RFC 1918 Addresses
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.255.240.0
 network-object 192.168.0.0 255.255.0.0

access-list VPN-TO-HO remark VPN TO EDMONTON
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group SITE-D-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group SITE-DD-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group SITE-HO-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group ISP-VPN-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group SITE-N-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group VPN_USERS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group RFC1918 

nat (inside,outside) source static SITE-A-NETS SITE-A-NETS destination static VPN_USERS VPN_USERS no-proxy-arp
nat (inside,outside) source static SITE-A-NETS SITE-A-NETS destination static SITE-D-NETS SITE-D-NETS
nat (inside,outside) source static SITE-A-NETS SITE-A-NETS destination static SITE-DD-NETS SITE-DD-NETS
nat (inside,outside) source static SITE-A-NETS SITE-A-NETS destination static SITE-HO-NETS SITE-HO-NETS
nat (inside,outside) source static SITE-A-NETS SITE-A-NETS destination static ISP-VPN-NETS ISP-VPN-NETS
nat (inside,outside) source static SITE-A-NETS SITE-A-NETS destination static SITE-N-NETS SITE-N-NETS
nat (inside,outside) source static SITE-A-NETS SITE-A-NETS destination static RFC1918 RFC1918

What I did is just to remove the last ACL line and put it in front of all.

access-list VPN-TO-HO remark VPN TO EDMONTON

access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group RFC1918 # I moved this!!!
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group SITE-D-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group SITE-DD-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group SITE-HO-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group ISP-VPN-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group SITE-N-NETS 
access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group VPN_USERS

Client called me because this FW lost VPN connectivity to the HO (I can ssh to the firewall because I have access to the outside)

What I did is remove the 1 line in front
no access-list VPN-TO-HO extended permit ip object-group SITE-A-NETS object-group RFC1918 

*** The client can access again HO...

Please let me know what seems to be the problem why it lost connectivity?


Thanks,
 

2 REPLIES 2
Cisco Employee

Hi,- Is it an Interface based

Hi,

- Is it an Interface based ACL or called in some VPN configuration?

- Could you please try to run packet-tracer i both the scenarios and paste it here. We could see what changes occurs in traffic selection. Also if you could share the configuration where this ACL is being placed.

Regards,

Akshay Rastogi

Beginner

it's tricky than I thought it

it's tricky than I thought it would be...

every site connecting to the HO should have the exact ACL as what is in HO...

 

bit challenging if you have bunch of ACL's without remarks!