04-25-2022 01:34 AM
Hi,
There is a question in my ASA 5512. I had configured it in outside and inside earlier. But recently I added two statements to allow routers to send UDP messages to my Intranet. Then the 10.1.20.245 can't get online.The following ACLs were applied in the incoming direction of an outside outlet.
access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
When I added the following ACL, the 10.1.20.245 was online again.The following ACLs was applied in the incoming direction of an inside outlet.
access-list INSIDE_IN extended permit ip host 10.1.20.245 any
Before I configured the ACL, I had the following configuration. In this case, 10.1.20.245 can access the Internet normally.
In the incoming direction of an outside outlet
access-list OUTSIDE_IN extended permit icmp any4 any4
In the incoming direction of an inside outlet:
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit tcp any4 any4 object-group TCP-OPEN
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any4 any4 eq domain
access-list INSIDE_IN extended permit ip any4 any4
Could you please answer the question for me about why I need to add the "access-list INSIDE_IN extended permit ip host 10.1.20.245 any "?
Thanks,
Figge
04-25-2022 01:43 AM
Hello,
what exactly are you trying to accomplish ?
access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
This access lists denies everything except UDP port 5514 between these two hosts. Nothing else will work.
What do you want host 10.1.20.245 (and what is that host, the router) to be able to access ?
04-25-2022 05:39 AM
Hi Georg,
I want UDP 5514 on 10.1.20.245 to receive messages from 70.39.240.7 and 207.223.104.1. So I added these.
access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
10.1.20.245 can access the Internet before I add these two access lists, but after I add these lists, it cannot access the Internet.
As I said, do these access lists affect my internal to external access?
Thanks,
Figge
04-25-2022 06:11 AM
just show me the access-list I will check it.
04-25-2022 06:09 PM
Hi,
access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit icmp any4 any4
access-list OUTSIDE_IN extended permit tcp any4 host 10.0.11.17 eq smtp
access-list OUTSIDE_IN remark [ 2X ]access-list OUTSIDE_IN remark [RemoteAPP-Test]
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.24 eq https
access-list OUTSIDE_IN extended deny ip any object-group HACKER
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.61 range 8040 8041
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.75 eq https
access-list INSIDE_IN extended permit ip host 10.1.20.245 any
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit udp object-group Server_VLANs any4 eq domain
access-list INSIDE_IN extended permit tcp any4 any4 object-group TCP-OPEN
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any4 any4 eq domain
access-list INSIDE_IN extended permit ip any4 any4
Please check it.
Thanks,
Figge
04-25-2022 04:41 AM
can I see show access-list ?
04-25-2022 06:26 AM - edited 04-25-2022 06:27 AM
access-list OUTSIDE_IN line 1 extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514 (hitcnt=94) 0x391080fb
access-list OUTSIDE_IN line 2 extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514 (hitcnt=22) 0x3d6f0faa
!
The traffic is Two Way so need ACL to allow return back traffic to 70.39.240.1 & 207.223.104.1
you apply this ACL and I think it open not so secure
access-list INSIDE_IN line 1 extended permit ip host 10.1.20.245 any (hitcnt=212) 0x9a8e6af1
instead
access-list INSIDE_IN line 1 extended permit udp host 10.1.20.245 eq 5514 host 70.39.240.1
access-list INSIDE_IN line 1 extended permit udp host 10.1.20.245 eq 5514 host 207.223.104.1
04-25-2022 06:00 PM
Hi,
access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit icmp any4 any4
access-list OUTSIDE_IN extended permit tcp any4 host 10.0.11.17 eq smtp
access-list OUTSIDE_IN remark [ 2X ]access-list OUTSIDE_IN remark [RemoteAPP-Test]
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.24 eq https
access-list OUTSIDE_IN extended deny ip any object-group HACKER
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.61 range 8040 8041
access-list OUTSIDE_IN extended permit tcp any4 host 10.1.20.75 eq https
access-list INSIDE_IN extended permit ip host 10.1.20.245 any
access-list INSIDE_IN extended permit icmp any any
access-list INSIDE_IN extended permit udp object-group Server_VLANs any4 eq domain
access-list INSIDE_IN extended permit tcp any4 any4 object-group TCP-OPEN
access-list INSIDE_IN extended deny tcp any any
access-list INSIDE_IN extended deny udp any4 any4 eq domain
access-list INSIDE_IN extended permit ip any4 any4
70.39.240.1 and 207.113.104.1 will actively send logs to 10.1.20.245. This behavior is not initiated by 10.1.20.245.
access-list INSIDE_IN extended permit ip host 10.1.20.245 any
If I don't add this access list, 10.1.20.245 will be offline. Why?
access-list OUTSIDE_IN extended permit udp host 70.39.240.1 host 10.1.20.245 eq 5514
access-list OUTSIDE_IN extended permit udp host 207.223.104.1 host 10.1.20.245 eq 5514
How will these two access lists affect the access to the Internet from 10.1.20.245? Will they be denied implicitly?
Thanks,
Figge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: