09-28-2022 01:52 PM
Hi team,
I'am facing an issue related to ACLs on my ASA configuration, I have an ASA conncted to 3 networks :
- OUTSIDE, DMZ, INSIDE.
My inside network is subnetted on 3 network/vlans.
I have to setup some ACL to matche the following requirement :
- Configure an ACL to block PINGs to the server google from VLAN X and VLAN Y
- Configure an access control list to block the FTP connection for the network VLAN X to web server
- Configure an access control list to allow PING requests from the WEB server to the printers.
I tried some ACL configuration but i cant figure out why its not working:
ASA(config)#access-list ACL_No_ICMP_VlanX-Y_To_Google extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2
ASA(config)#access-list ACL_No_ICMP_VlanX-Y_To_Google extended deny icmp 192.168.1.64 255.255.255.192 host 64.100.100.2
ASA(config)#access-list ACL_No_ICMP_VlanX-Y_To_Google extended permit icmp any any
09-28-2022 01:54 PM
all config is prefect except you not apply ACL to interface.
09-28-2022 02:07 PM - edited 09-28-2022 02:12 PM
I also tried the following but the ping is still allowed from inside VLANs to Outside :
object network Outside_To_Inside_WebServer
host 192.168.2.10
nat (DMZ,PUBLIC) static 88.40.12.2
object network VLAN-X
subnet 192.168.1.0 255.255.255.192
nat (INTERNAL,PUBLIC) dynamic interface
object network VLAN-Y
subnet 192.168.1.64 255.255.255.192
nat (INTERNAL,PUBLIC) dynamic interface
object network VLAN-Z
subnet 192.168.1.128 255.255.255.192
nat (INTERNAL,PUBLIC) dynamic interface
!
route PUBLIC 0.0.0.0 0.0.0.0 88.40.12.1 1
!
access-list Outside_To_Inside_WebServer extended permit tcp any host 192.168.2.10 eq www
access-list 101 extended permit ip any any
access-list 101 extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2 echo
access-list 101 extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2 echo-reply
access-list 101 extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2 unreachable
!
!
access-group 101 in interface PUBLIC
aaa authentication ssh console LOCAL
Thanks for your time!
09-28-2022 02:52 PM
09-28-2022 03:24 PM
access-list 101 extended permit ip any any
This linr i think issue
Show access list
Check if permit any any is above other deny line
09-28-2022 04:31 PM
09-28-2022 05:20 PM - edited 09-28-2022 06:24 PM
Hi MHM,
Here is my show access-list result :
ASA(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300
access-list Outside_To_Inside_WebServer; 2 elements; name hash: 0x141ed242
access-list Outside_To_Inside_WebServer line 1 extended permit icmp any host 88.40.12.2(hitcnt=0) 0x23b08668
access-list Outside_To_Inside_WebServer line 2 extended permit tcp any host 192.168.2.10 eq www(hitcnt=0) 0x872cbe53
access-list icmp_deny_vlanxy; 3 elements; name hash: 0x9b7e1e5c
access-list icmp_deny_vlanxy line 1 extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2(hitcnt=0) 0x78b47b96
access-list icmp_deny_vlanxy line 2 extended deny icmp 192.168.1.64 255.255.255.192 host 64.100.100.2(hitcnt=0) 0xe3886deb
access-list icmp_deny_vlanxy line 3 extended permit icmp any any(hitcnt=0) 0x9d3190d0
ASA(config)#
Even after that the ping is still allowed from internal VLAN to outside, i mean google server : 64.100.100.2
Thanks
09-28-2022 07:58 PM
Here is my current configuration. i did some changes, but anyway i dont know how to setup the first policy to deny ping from vlanx et and y to the google server ...
ASA(config)#show run
: Saved
:
ASA Version 9.6(1)
!
hostname ASA
domain-name span.com
enable password Qa8ENuiyPgE/u.0d encrypted
names
!
interface GigabitEthernet1/1
nameif INTERNAL
security-level 100
ip address 192.168.1.194 255.255.255.192
!
interface GigabitEthernet1/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif PUBLIC
security-level 0
ip address 88.40.12.2 255.255.255.252
!
object network DMZ-SERVER
host 192.168.2.10
nat (DMZ,PUBLIC) static 88.40.12.2
object network INTERNAL
subnet 192.168.1.0 255.255.255.0
nat (INTERNAL,PUBLIC) dynamic interface
!
route PUBLIC 0.0.0.0 0.0.0.0 88.40.12.1 1
!
access-list OUTSIDE-DMZ extended permit icmp any host 88.40.12.2
access-list OUTSIDE-DMZ extended permit tcp any host 192.168.2.10 eq www
!
!
access-group OUTSIDE-DMZ in interface PUBLIC
aaa authentication ssh console LOCAL
!
username admin password Qa8ENuiyPgE/u.0d encrypted
username carlos password Qa8ENuiyPgE/u.0d encrypted
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
!
service-policy global_policy global
!
telnet timeout 5
ssh 192.168.1.128 255.255.255.192 INTERNAL
ssh 64.100.100.3 255.255.255.255 PUBLIC
ssh timeout 5
!
!
!
!
router ospf 1
router-id 9.9.9.9
log-adjacency-changes
network 192.168.1.192 255.255.255.192 area 10
network 88.40.12.0 255.255.255.252 area 10
network 192.168.2.0 255.255.255.0 area 10
default-information originate
!
ASA(config)#
Done for tonight, lets continue tomorrow.
09-28-2022 07:00 PM
I read that documentation also :
But no chance yet ! I tried a config and all my asa network port went down
09-29-2022 01:22 PM
Hi MHM, after trying several time to find solution, unfortunately anything seems to work as expected.
For thoses who want to have a look on the pkt file let me know.
09-30-2022 11:52 AM
Hi team, anyone please ?
i have my exam in 2 days, i could appreciate some help before. Thank you
09-30-2022 12:16 PM
can you share the PKT file, let me make double check
09-30-2022 01:13 PM - edited 09-30-2022 03:58 PM
Hi MHM, here you are! thank you.
enable pass are cisco or class just try both.
Please also note that there is a bug with the inspect icmp that is not permanent. Each time you restart the ASA you have to re-enter the setup like following :
#Inspect ICMP on ASA :
configure terminal
NO policy-map global_policy
exit
configure terminal
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect tftp
inspect icmp
exit
write memory
#Appy the policy again after recrating it :
configure terminal
no service-policy global_policy global
service-policy global_policy global
Here are the pain point for me, i cant figure out how to address them, i spent hours and hours just for the 1rst one with no success.
- Configure an access control list to block PINGs to the server google from VLAN X and VLAN Y
- Configure an access control list to block the FTP connection for the network VLAN X to web server
- Configure an access control list to allow PING requests from the WEB server to the printers.
Thanks you !
10-01-2022 05:37 AM
I know that there are many bug in PKT, even if you sure 100% your config correct the bug is unpredictable.
anyway
I see attach PKT file and but I dont see it ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide