cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
860
Views
5
Helpful
2
Replies

ASA ACL question

Figge F Sun
Level 1
Level 1

Hi,

There is a question in my ASA5512.

 

I want UDP 5514 on 10.1.20.245 to receive messages from 70.39.240.7 and 207.223.104.1. So I added these:

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514

 

10.1.20.245 can access the Internet before I add these two access lists, but after I add these lists, it cannot access the Internet.

 

The following is my ACEs:

 

In the incoming direction of an outside outlet:

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit icmp any4 any4
access-list OUTSIDE_IN extended permit tcp any4 host 10.0.11.17 eq smtp
access-list OUTSIDE_IN remark [ 2X ]access-list OUTSIDE_IN remark [RemoteAPP-Test]
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.24 eq https
access-list OUTSIDE_IN extended deny ip any object-group HACKER
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.61 range 8040 8041
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.75 eq https

 

In the incoming direction of an inside outlet:
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit udp object-group Server_VLANs any4 eq domain
access-list INSIDE_IN extended permit tcp any4 any4 object-group TCP-OPEN
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any4 any4 eq domain
access-list INSIDE_IN extended permit ip any4 any4

 

Please check.

 

Thanks,

Figge

2 Replies 2

johnd2310
Level 8
Level 8

Hi,

 

A couple of issues with your access-lists:

 

"I want UDP 5514 on 10.1.20.245 to receive messages from 70.39.240.7 and 207.223.104.1. So I added these:"

"access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514"

Which is correct?

On the inside access-list what is the configuration of "object-group TCP-OPEN"

 

To find out why 10.1.20.245 is failing to connect to the Internet, use packet tracer:

 

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed]

 

example:

packet-tracer input INSIDE tcp 10.1.20.245 1024 1.1.1.1 80 detailed

 

Thanks

John

**Please rate posts you find helpful**

Hi John,

 

TCP-OPEN contains port numbers that we can access internally, like 443/80.

object-group service TCP-OPEN tcp
port-object eq ftp-data
port-object eq ftp
port-object eq ssh
port-object eq smtp
port-object eq 42
port-object eq domain
port-object eq 161
port-object eq 162
port-object eq bgp
port-object eq ldap
port-object eq https
port-object eq 465
port-object eq 500
port-object eq ldaps
port-object eq 691
port-object eq 902
port-object eq 912
port-object eq 989
port-object eq 1241
port-object eq 1422
port-object eq 1433
port-object eq 1434
port-object eq citrix-ica
port-object eq 1604
port-object eq pptp
port-object eq 1863
port-object eq 2598
port-object eq 3128
port-object eq 3130
port-object eq 3268
port-object eq 3269
port-object eq 3306
port-object eq 5010
port-object eq aol
port-object eq 5490
port-object eq 5500
port-object eq 5501
port-object eq 5800
port-object eq 5801
port-object eq 5900
port-object eq 5901
port-object eq 6891
port-object eq 6892
port-object eq 6893
port-object eq 6894
port-object eq 6896
port-object eq 6897
port-object eq 6899
port-object eq 6900
port-object eq 6901
port-object eq 8080
port-object eq 8081
port-object eq 9899
port-object eq 8200
port-object eq 3689
port-object eq www
port-object eq 8040
port-object eq 8099
port-object eq 3389
port-object eq 12489
port-object eq 5666
port-object eq 8041
port-object eq 81
port-object eq 10000
port-object eq 88
port-object eq 8008
port-object eq pop3
port-object eq imap4
port-object eq 89
port-object eq 801
port-object eq 1443
port-object eq 48388
port-object eq whois
port-object range 50040 50059
port-object eq 7789
port-object eq 8129
port-object eq 8088
port-object eq 9418
port-object eq 4172
port-object eq 85
port-object eq 1085
port-object eq 8001
port-object eq 5061
port-object eq 3393
port-object eq 7002
port-object eq 7001
port-object eq 9097
port-object eq 8889
port-object eq 6668
port-object eq 995
port-object eq 993
port-object eq 587
port-object eq 2000
port-object eq 11371
port-object eq sip
port-object eq 5063
port-object eq 5080
port-object eq 612
port-object eq 9001
port-object eq 8181
port-object eq 444
port-object eq 9997
port-object eq 8880
port-object eq 8888
port-object eq 33380
port-object eq 9000
port-object eq 41
port-object eq 66
port-object eq 131
port-object eq 96
port-object eq 9008
port-object eq 8090
port-object eq 7663
port-object eq 7553
port-object eq 7883
port-object eq 5119
port-object eq 10444
port-object eq 7010
port-object eq 8443
port-object eq 8050
port-object eq 8447
port-object eq 5859
port-object eq 1010
port-object eq 6883
port-object eq 1080
port-object eq 7061
port-object eq 8083
port-object eq 5000
port-object eq 7070
port-object eq 37009
port-object eq 53395
port-object eq 9999
port-object eq 8191
port-object eq 8002
port-object eq 3443
port-object eq 9443
port-object eq 9777
port-object eq 4022
port-object eq 59205
port-object eq 6510
port-object eq 6310
port-object eq 59206
port-object eq 8034
port-object eq 1119
port-object eq 808
port-object eq 4423
port-object eq 8688
port-object eq 4433
port-object eq 17001
port-object eq 4445
port-object eq 8003
port-object eq 8810
port-object eq 12654
port-object eq 10010
port-object eq 15623
port-object eq 15624
port-object eq 8100
port-object eq 6443
port-object eq 5870
port-object eq 6080
port-object eq 8000
port-object eq 9700
port-object eq 25000
port-object eq 30000
port-object eq 3433
port-object eq 5668
port-object eq 5669
port-object eq 8667
port-object eq 9667
port-object eq 5866
port-object eq 5867
port-object eq 5868
port-object eq 5869
port-object eq 5871
port-object eq 5872
port-object eq 5873
port-object eq 5874
port-object eq 5875
port-object eq 5876
port-object eq 5877
port-object eq 5878
port-object eq 5879
port-object eq 5880
port-object eq 5881
port-object eq 5882
port-object eq 5883
port-object eq 5884
port-object eq 5885
port-object eq 5886
port-object eq 5887
port-object eq 5888
port-object eq 5889
port-object eq 5890
port-object eq 4700
port-object eq 4701
port-object eq 4702
port-object eq 4703
port-object eq 4704
port-object eq 4705
port-object eq 4706
port-object eq 4707
port-object eq 4708
port-object eq 4709
port-object eq 4710
port-object eq 1078
port-object eq 250
port-object eq 1542
port-object eq 236
port-object eq 1528
port-object eq 1536
port-object eq 1554
port-object eq 1404
port-object eq 9354
port-object eq 5001
port-object eq 8087
port-object eq 8010
port-object eq 9090
port-object eq 8085
port-object eq 3080

 

To work properly, I added an access list:

access-list INSIDE_IN extended permit ip host 10.1.20.245 any

 

So I set up a virtual environment on EVE-ng, but in this environment, when only adding access lists of 70 and 207, he did not have the problems I encountered in the real environment. I cannot do Troubleshooting in a real environment.

 

What could possibly be causing this?

 

Thanks,

Figge

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: