Re: ACL ASA - Deny/allow policies - Packet tracer 8.2

Brahim O · ‎09-28-2022

Hi team,

I'am facing an issue related to ACLs on my ASA configuration, I have an ASA conncted to 3 networks :

- OUTSIDE, DMZ, INSIDE.

My inside network is subnetted on 3 network/vlans.

I have to setup some ACL to matche the following requirement :

- Configure an ACL to block PINGs to the server google from VLAN X and VLAN Y

- Configure an access control list to block the FTP connection for the network VLAN X to web server

- Configure an access control list to allow PING requests from the WEB server to the printers.

I tried some ACL configuration but i cant figure out why its not working:

ASA(config)#access-list ACL_No_ICMP_VlanX-Y_To_Google extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2
ASA(config)#access-list ACL_No_ICMP_VlanX-Y_To_Google extended deny icmp 192.168.1.64 255.255.255.192 host 64.100.100.2
ASA(config)#access-list ACL_No_ICMP_VlanX-Y_To_Google extended permit icmp any any

MHM Cisco World · ‎09-28-2022

all config is prefect except you not apply ACL to interface.

Brahim O · ‎09-28-2022

I also tried the following but the ping is still allowed from inside VLANs to Outside :

object network Outside_To_Inside_WebServer
 host 192.168.2.10
 nat (DMZ,PUBLIC) static 88.40.12.2
object network VLAN-X
 subnet 192.168.1.0 255.255.255.192
 nat (INTERNAL,PUBLIC) dynamic interface
object network VLAN-Y
 subnet 192.168.1.64 255.255.255.192
 nat (INTERNAL,PUBLIC) dynamic interface
object network VLAN-Z
 subnet 192.168.1.128 255.255.255.192
 nat (INTERNAL,PUBLIC) dynamic interface
!
route PUBLIC 0.0.0.0 0.0.0.0 88.40.12.1 1
!
access-list Outside_To_Inside_WebServer extended permit tcp any host 192.168.2.10 eq www
access-list 101 extended permit ip any any
access-list 101 extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2 echo
access-list 101 extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2 echo-reply
access-list 101 extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2 unreachable
!
!
access-group 101 in interface PUBLIC
aaa authentication ssh console LOCAL

Thanks for your time!

Brahim O · ‎09-28-2022

Hi sir ! Thank you !
My question is on what interface should i apply that acl ? Public right ?
As the goal is to block ping from 2 inside vlans to the Google server
64.100.100.2 ?

How I can apply that policy actually ?
Sorry for that question that seems to be obvious but I am a noob on asa
firewall.
Kind regards

MHM Cisco World · ‎09-28-2022

access-list 101 extended permit ip any any

This linr i think issue

Show access list

Check if permit any any is above other deny line

Brahim O · ‎09-28-2022

Sure ! Let me check and i ll get back to you !
Kind regards

Brahim O · ‎09-28-2022

Hi MHM,

Here is my show access-list result :

ASA(config)# show access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300
access-list Outside_To_Inside_WebServer; 2 elements; name hash: 0x141ed242
access-list Outside_To_Inside_WebServer line 1 extended permit icmp any host 88.40.12.2(hitcnt=0) 0x23b08668
access-list Outside_To_Inside_WebServer line 2 extended permit tcp any host 192.168.2.10 eq www(hitcnt=0) 0x872cbe53
access-list icmp_deny_vlanxy; 3 elements; name hash: 0x9b7e1e5c
access-list icmp_deny_vlanxy line 1 extended deny icmp 192.168.1.0 255.255.255.192 host 64.100.100.2(hitcnt=0) 0x78b47b96
access-list icmp_deny_vlanxy line 2 extended deny icmp 192.168.1.64 255.255.255.192 host 64.100.100.2(hitcnt=0) 0xe3886deb
access-list icmp_deny_vlanxy line 3 extended permit icmp any any(hitcnt=0) 0x9d3190d0
ASA(config)#

Even after that the ping is still allowed from internal VLAN to outside, i mean google server : 64.100.100.2

Thanks

Brahim O · ‎09-28-2022

Here is my current configuration. i did some changes, but anyway i dont know how to setup the first policy to deny ping from vlanx et and y to the google server ...

ASA(config)#show run
: Saved
:
ASA Version 9.6(1)
!
hostname ASA
domain-name span.com
enable password Qa8ENuiyPgE/u.0d encrypted
names
!
interface GigabitEthernet1/1
 nameif INTERNAL
 security-level 100
 ip address 192.168.1.194 255.255.255.192
!
interface GigabitEthernet1/2
 nameif DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3
 nameif PUBLIC
 security-level 0
 ip address 88.40.12.2 255.255.255.252
!
object network DMZ-SERVER
 host 192.168.2.10
 nat (DMZ,PUBLIC) static 88.40.12.2
object network INTERNAL
 subnet 192.168.1.0 255.255.255.0
 nat (INTERNAL,PUBLIC) dynamic interface
!
route PUBLIC 0.0.0.0 0.0.0.0 88.40.12.1 1
!
access-list OUTSIDE-DMZ extended permit icmp any host 88.40.12.2
access-list OUTSIDE-DMZ extended permit tcp any host 192.168.2.10 eq www
!
!
access-group OUTSIDE-DMZ in interface PUBLIC
aaa authentication ssh console LOCAL
!
username admin password Qa8ENuiyPgE/u.0d encrypted
username carlos password Qa8ENuiyPgE/u.0d encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp 
  inspect tftp 
!
service-policy global_policy global
!
telnet timeout 5
ssh 192.168.1.128 255.255.255.192 INTERNAL
ssh 64.100.100.3 255.255.255.255 PUBLIC
ssh timeout 5
!
!
!
!
router ospf 1
 router-id 9.9.9.9
 log-adjacency-changes
 network 192.168.1.192 255.255.255.192 area 10
 network 88.40.12.0 255.255.255.252 area 10
 network 192.168.2.0 255.255.255.0 area 10
 default-information originate
!
ASA(config)#

Done for tonight, lets continue tomorrow.

Brahim O · ‎09-28-2022

I read that documentation also :

https://www.doncrawley.com/soundtraining.net/files/fundamentalsofciscoasasecurityapplianceaccesscontrollists_r2.pdf

But no chance yet ! I tried a config and all my asa network port went down

Brahim O · ‎09-29-2022

Hi MHM, after trying several time to find solution, unfortunately anything seems to work as expected.

For thoses who want to have a look on the pkt file let me know.

Brahim O · ‎09-30-2022

Hi team, anyone please ?

i have my exam in 2 days, i could appreciate some help before. Thank you

MHM Cisco World · ‎09-30-2022

can you share the PKT file, let me make double check

Brahim O · ‎09-30-2022

Hi MHM, here you are! thank you.

enable pass are cisco or class just try both.

Please also note that there is a bug with the inspect icmp that is not permanent. Each time you restart the ASA you have to re-enter the setup like following :

#Inspect ICMP on ASA :

configure terminal 
NO policy-map global_policy
exit
configure terminal 
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp 
  inspect tftp 
  inspect icmp 
exit 
write memory

#Appy the policy again after recrating it : 
configure terminal 
no service-policy global_policy global
service-policy global_policy global

Here are the pain point for me, i cant figure out how to address them, i spent hours and hours just for the 1rst one with no success.

- Configure an access control list to block PINGs to the server google from VLAN X and VLAN Y

- Configure an access control list to block the FTP connection for the network VLAN X to web server

- Configure an access control list to allow PING requests from the WEB server to the printers.

Thanks you !

MHM Cisco World · ‎10-01-2022

I know that there are many bug in PKT, even if you sure 100% your config correct the bug is unpredictable.
anyway
I see attach PKT file and but I dont see it ?