Re: ASA5512 ACL question

Figge F Sun · ‎04-25-2022

Hi,

There is a question in my ASA 5512. I had configured it in outside and inside earlier. But recently I added two statements to allow routers to send UDP messages to my Intranet. Then the 10.1.20.245 can't get online.The following ACLs were applied in the incoming direction of an outside outlet.

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514

When I added the following ACL, the 10.1.20.245 was online again.The following ACLs was applied in the incoming direction of an inside outlet.

access-list INSIDE_IN extended permit ip host 10.1.20.245 any

Before I configured the ACL, I had the following configuration. In this case, 10.1.20.245 can access the Internet normally.

In the incoming direction of an outside outlet

access-list OUTSIDE_IN extended permit icmp any4 any4

In the incoming direction of an inside outlet:

   access-list INSIDE_IN extended permit icmp any any
   access-list INSIDE_IN extended permit tcp any4 any4 object-group TCP-OPEN
   access-list INSIDE_IN extended deny tcp any any
   access-list INSIDE_IN extended deny udp any4 any4 eq domain
   access-list INSIDE_IN extended permit ip any4 any4

Could you please answer the question for me about why I need to add the "access-list INSIDE_IN extended permit ip host 10.1.20.245 any "?

Thanks,

Figge

Georg Pauwen · ‎04-25-2022

Hello,

what exactly are you trying to accomplish ?

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514

This access lists denies everything except UDP port 5514 between these two hosts. Nothing else will work.

What do you want host 10.1.20.245 (and what is that host, the router) to be able to access ?

Figge F Sun · ‎04-25-2022

Hi Georg,

I want UDP 5514 on 10.1.20.245 to receive messages from 70.39.240.7 and 207.223.104.1. So I added these.

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514

10.1.20.245 can access the Internet before I add these two access lists, but after I add these lists, it cannot access the Internet.

As I said, do these access lists affect my internal to external access?

Thanks,

Figge

MHM Cisco World · ‎04-25-2022

just show me the access-list I will check it.

Figge F Sun · ‎04-25-2022

Hi,

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit icmp any4 any4
access-list OUTSIDE_IN extended permit tcp any4 host 10.0.11.17 eq smtp
access-list OUTSIDE_IN remark [ 2X ]access-list OUTSIDE_IN remark [RemoteAPP-Test]
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.24 eq https
access-list OUTSIDE_IN extended deny ip any object-group HACKER
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.61 range 8040 8041
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.75 eq https

access-list INSIDE_IN extended permit ip host 10.1.20.245 any
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit udp object-group Server_VLANs any4 eq domain
access-list INSIDE_IN extended permit tcp any4 any4 object-group TCP-OPEN
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any4 any4 eq domain
access-list INSIDE_IN extended permit ip any4 any4

Please check it.

Thanks,

Figge

MHM Cisco World · ‎04-25-2022

can I see show access-list ?

MHM Cisco World · ‎04-25-2022

access-list OUTSIDE_IN line 1 extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514 (hitcnt=94) 0x391080fb
access-list OUTSIDE_IN line 2 extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514 (hitcnt=22) 0x3d6f0faa

!

The traffic is Two Way so need ACL to allow return back traffic to 70.39.240.1 & 207.223.104.1
you apply this ACL and I think it open not so secure

access-list INSIDE_IN line 1 extended permit ip host 10.1.20.245 any (hitcnt=212) 0x9a8e6af1

instead

access-list INSIDE_IN line 1 extended permit udp host 10.1.20.245 eq 5514 host 70.39.240.1

access-list INSIDE_IN line 1 extended permit udp host 10.1.20.245 eq 5514 host 207.223.104.1

Figge F Sun · ‎04-25-2022

Hi,

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit icmp any4 any4
access-list OUTSIDE_IN extended permit tcp any4 host 10.0.11.17 eq smtp
access-list OUTSIDE_IN remark [ 2X ]access-list OUTSIDE_IN remark [RemoteAPP-Test]
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.24 eq https
access-list OUTSIDE_IN extended deny ip any object-group HACKER
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.61 range 8040 8041
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.75 eq https

access-list INSIDE_IN extended permit ip host 10.1.20.245 any
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit udp object-group Server_VLANs any4 eq domain
access-list INSIDE_IN extended permit tcp any4 any4 object-group TCP-OPEN
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any4 any4 eq domain
access-list INSIDE_IN extended permit ip any4 any4

70.39.240.1 and 207.113.104.1 will actively send logs to 10.1.20.245. This behavior is not initiated by 10.1.20.245.

access-list INSIDE_IN extended permit ip host 10.1.20.245 any

If I don't add this access list, 10.1.20.245 will be offline. Why?

access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514

How will these two access lists affect the access to the Internet from 10.1.20.245? Will they be denied implicitly?

Thanks,

Figge