cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
459
Views
5
Helpful
2
Replies
Figge F Sun
Beginner

ASA ACL question

Hi,

There is a question in my ASA5512.

 

I want UDP 5514 on 10.1.20.245 to receive messages from 70.39.240.7 and 207.223.104.1. So I added these:

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514

 

10.1.20.245 can access the Internet before I add these two access lists, but after I add these lists, it cannot access the Internet.

 

The following is my ACEs:

 

In the incoming direction of an outside outlet:

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit icmp any4 any4
access-list OUTSIDE_IN extended permit tcp any4 host 10.0.11.17 eq smtp
access-list OUTSIDE_IN remark [ 2X ]access-list OUTSIDE_IN remark [RemoteAPP-Test]
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.24 eq https
access-list OUTSIDE_IN extended deny ip any object-group HACKER
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.61 range 8040 8041
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.75 eq https

 

In the incoming direction of an inside outlet:
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit udp object-group Server_VLANs any4 eq domain
access-list INSIDE_IN extended permit tcp any4 any4 object-group TCP-OPEN
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any4 any4 eq domain
access-list INSIDE_IN extended permit ip any4 any4

 

Please check.

 

Thanks,

Figge

2 REPLIES 2
johnd2310
Collaborator

Hi,

 

A couple of issues with your access-lists:

 

"I want UDP 5514 on 10.1.20.245 to receive messages from 70.39.240.7 and 207.223.104.1. So I added these:"

"access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514"

Which is correct?

On the inside access-list what is the configuration of "object-group TCP-OPEN"

 

To find out why 10.1.20.245 is failing to connect to the Internet, use packet tracer:

 

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed]

 

example:

packet-tracer input INSIDE tcp 10.1.20.245 1024 1.1.1.1 80 detailed

 

Thanks

John

**Please rate posts you find helpful**

Hi John,

 

TCP-OPEN contains port numbers that we can access internally, like 443/80.

object-group service TCP-OPEN tcp
port-object eq ftp-data
port-object eq ftp
port-object eq ssh
port-object eq smtp
port-object eq 42
port-object eq domain
port-object eq 161
port-object eq 162
port-object eq bgp
port-object eq ldap
port-object eq https
port-object eq 465
port-object eq 500
port-object eq ldaps
port-object eq 691
port-object eq 902
port-object eq 912
port-object eq 989
port-object eq 1241
port-object eq 1422
port-object eq 1433
port-object eq 1434
port-object eq citrix-ica
port-object eq 1604
port-object eq pptp
port-object eq 1863
port-object eq 2598
port-object eq 3128
port-object eq 3130
port-object eq 3268
port-object eq 3269
port-object eq 3306
port-object eq 5010
port-object eq aol
port-object eq 5490
port-object eq 5500
port-object eq 5501
port-object eq 5800
port-object eq 5801
port-object eq 5900
port-object eq 5901
port-object eq 6891
port-object eq 6892
port-object eq 6893
port-object eq 6894
port-object eq 6896
port-object eq 6897
port-object eq 6899
port-object eq 6900
port-object eq 6901
port-object eq 8080
port-object eq 8081
port-object eq 9899
port-object eq 8200
port-object eq 3689
port-object eq www
port-object eq 8040
port-object eq 8099
port-object eq 3389
port-object eq 12489
port-object eq 5666
port-object eq 8041
port-object eq 81
port-object eq 10000
port-object eq 88
port-object eq 8008
port-object eq pop3
port-object eq imap4
port-object eq 89
port-object eq 801
port-object eq 1443
port-object eq 48388
port-object eq whois
port-object range 50040 50059
port-object eq 7789
port-object eq 8129
port-object eq 8088
port-object eq 9418
port-object eq 4172
port-object eq 85
port-object eq 1085
port-object eq 8001
port-object eq 5061
port-object eq 3393
port-object eq 7002
port-object eq 7001
port-object eq 9097
port-object eq 8889
port-object eq 6668
port-object eq 995
port-object eq 993
port-object eq 587
port-object eq 2000
port-object eq 11371
port-object eq sip
port-object eq 5063
port-object eq 5080
port-object eq 612
port-object eq 9001
port-object eq 8181
port-object eq 444
port-object eq 9997
port-object eq 8880
port-object eq 8888
port-object eq 33380
port-object eq 9000
port-object eq 41
port-object eq 66
port-object eq 131
port-object eq 96
port-object eq 9008
port-object eq 8090
port-object eq 7663
port-object eq 7553
port-object eq 7883
port-object eq 5119
port-object eq 10444
port-object eq 7010
port-object eq 8443
port-object eq 8050
port-object eq 8447
port-object eq 5859
port-object eq 1010
port-object eq 6883
port-object eq 1080
port-object eq 7061
port-object eq 8083
port-object eq 5000
port-object eq 7070
port-object eq 37009
port-object eq 53395
port-object eq 9999
port-object eq 8191
port-object eq 8002
port-object eq 3443
port-object eq 9443
port-object eq 9777
port-object eq 4022
port-object eq 59205
port-object eq 6510
port-object eq 6310
port-object eq 59206
port-object eq 8034
port-object eq 1119
port-object eq 808
port-object eq 4423
port-object eq 8688
port-object eq 4433
port-object eq 17001
port-object eq 4445
port-object eq 8003
port-object eq 8810
port-object eq 12654
port-object eq 10010
port-object eq 15623
port-object eq 15624
port-object eq 8100
port-object eq 6443
port-object eq 5870
port-object eq 6080
port-object eq 8000
port-object eq 9700
port-object eq 25000
port-object eq 30000
port-object eq 3433
port-object eq 5668
port-object eq 5669
port-object eq 8667
port-object eq 9667
port-object eq 5866
port-object eq 5867
port-object eq 5868
port-object eq 5869
port-object eq 5871
port-object eq 5872
port-object eq 5873
port-object eq 5874
port-object eq 5875
port-object eq 5876
port-object eq 5877
port-object eq 5878
port-object eq 5879
port-object eq 5880
port-object eq 5881
port-object eq 5882
port-object eq 5883
port-object eq 5884
port-object eq 5885
port-object eq 5886
port-object eq 5887
port-object eq 5888
port-object eq 5889
port-object eq 5890
port-object eq 4700
port-object eq 4701
port-object eq 4702
port-object eq 4703
port-object eq 4704
port-object eq 4705
port-object eq 4706
port-object eq 4707
port-object eq 4708
port-object eq 4709
port-object eq 4710
port-object eq 1078
port-object eq 250
port-object eq 1542
port-object eq 236
port-object eq 1528
port-object eq 1536
port-object eq 1554
port-object eq 1404
port-object eq 9354
port-object eq 5001
port-object eq 8087
port-object eq 8010
port-object eq 9090
port-object eq 8085
port-object eq 3080

 

To work properly, I added an access list:

access-list INSIDE_IN extended permit ip host 10.1.20.245 any

 

So I set up a virtual environment on EVE-ng, but in this environment, when only adding access lists of 70 and 207, he did not have the problems I encountered in the real environment. I cannot do Troubleshooting in a real environment.

 

What could possibly be causing this?

 

Thanks,

Figge