Solved: I ran packet tracer for the

Bobby Mazzotti · ‎08-26-2015

Hello,

I have a request from a customer to allow a server on the inside network (192.168.1.203) to the "learning network" 10.10.10.0/24 over a specific set of ports. Here is the current ACL to allow from DMZ to Inside network

access-list learning_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
access-list learning_access_in extended permit ip 10.10.10.0 255.255.255.0 any
access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any
access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq www
access-list learning_access_in remark Allow access to mmgi-apps
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7725
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7751
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7752
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7753
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7725
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7751
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7752
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7753

However, the application is still unable to access desktops using the core application from Inside network to DMZ. I was under the assumption that lower security networks by default would allow higher ones to access the networks.

interface Ethernet0/1
description ** Inside Network **
nameif inside
security-level 100
ip address 192.168.1.1 255.255.254.0
!

!
interface Ethernet0/2.7
vlan 25
nameif learning
security-level 25
ip address 10.10.10.254 255.255.255.0
!

access-list inside extended permit tcp host 192.168.0.25 any eq smtp
access-list inside extended deny tcp any any eq smtp
access-list inside remark To allow the website "Timothysmithnetwork.org"
access-list inside extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list inside extended permit ip any any

Thanks for any help.

Marius Gunnerud · ‎08-26-2015

The security levels only take effect while there are no access-lists assigned to the interface. Once you assign an ACL to an interface it is the ACL that counts and not the security level.

what version of ASA are you running? If you are running a version earlier than 8.2 you may need to either add a NAT exempt statement for the traffic or issue the command no nat-control.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Maykol Rojas · ‎08-26-2015

That is correct, until you put an ACL on it. The traffic will go from the inside to the learning network? or from the Learning network to the inside? or both?

There might be some NAT issues as well, you can try to do a packet tracer to see where the problem is.

packet-tracer input <input src interface ie inside> <tcp/udp> <src host> <dest host> <port>

It should give you something if it is the firewall that is blocking it.

Mike.

Mike

Bobby Mazzotti · ‎08-26-2015

I ran packet tracer for the destined port and received the following -

FW1# packet-tracer input inside tcp 192.168.1.213 7751 10.10.10.34 7751

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 learning

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside
access-list inside extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any learning any
dynamic translation to pool 1 (No matching global)
translate_hits = 1408, untranslate_hits = 0
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: learning
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Marius Gunnerud · ‎08-26-2015

The security levels only take effect while there are no access-lists assigned to the interface. Once you assign an ACL to an interface it is the ACL that counts and not the security level.

what version of ASA are you running? If you are running a version earlier than 8.2 you may need to either add a NAT exempt statement for the traffic or issue the command no nat-control.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Bobby Mazzotti · ‎08-26-2015

Ended up having to place a no nat rule -

access-list NO_NAT_LEARNING extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

nat (learning) 0 access-list NO_NAT_LEARNING

Access from Inside network to subnetwork (DMZ)