08-26-2015 09:44 AM - last edited on 03-25-2019 05:56 PM by ciscomoderator
Hello,
I have a request from a customer to allow a server on the inside network (192.168.1.203) to the "learning network" 10.10.10.0/24 over a specific set of ports. Here is the current ACL to allow from DMZ to Inside network
access-list learning_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
access-list learning_access_in extended permit ip 10.10.10.0 255.255.255.0 any
access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any
access-list learning_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq www
access-list learning_access_in remark Allow access to mmgi-apps
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7725
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7751
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7752
access-list learning_access_in extended permit tcp any host 192.168.1.203 eq 7753
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7725
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7751
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7752
access-list learning_access_in extended permit udp any host 192.168.1.203 eq 7753
However, the application is still unable to access desktops using the core application from Inside network to DMZ. I was under the assumption that lower security networks by default would allow higher ones to access the networks.
interface Ethernet0/1
description ** Inside Network **
nameif inside
security-level 100
ip address 192.168.1.1 255.255.254.0
!
!
interface Ethernet0/2.7
vlan 25
nameif learning
security-level 25
ip address 10.10.10.254 255.255.255.0
!
access-list inside extended permit tcp host 192.168.0.25 any eq smtp
access-list inside extended deny tcp any any eq smtp
access-list inside remark To allow the website "Timothysmithnetwork.org"
access-list inside extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list inside extended permit ip any any
Thanks for any help.
Solved! Go to Solution.
08-26-2015 01:09 PM
The security levels only take effect while there are no access-lists assigned to the interface. Once you assign an ACL to an interface it is the ACL that counts and not the security level.
what version of ASA are you running? If you are running a version earlier than 8.2 you may need to either add a NAT exempt statement for the traffic or issue the command no nat-control.
--
Please remember to select a correct answer and rate helpful posts
08-26-2015 11:52 AM
That is correct, until you put an ACL on it. The traffic will go from the inside to the learning network? or from the Learning network to the inside? or both?
There might be some NAT issues as well, you can try to do a packet tracer to see where the problem is.
packet-tracer input <input src interface ie inside> <tcp/udp> <src host> <dest host> <port>
It should give you something if it is the firewall that is blocking it.
Mike.
08-26-2015 12:06 PM
I ran packet tracer for the destined port and received the following -
FW1# packet-tracer input inside tcp 192.168.1.213 7751 10.10.10.34 7751
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 learning
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside
access-list inside extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any learning any
dynamic translation to pool 1 (No matching global)
translate_hits = 1408, untranslate_hits = 0
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: learning
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
08-26-2015 01:09 PM
The security levels only take effect while there are no access-lists assigned to the interface. Once you assign an ACL to an interface it is the ACL that counts and not the security level.
what version of ASA are you running? If you are running a version earlier than 8.2 you may need to either add a NAT exempt statement for the traffic or issue the command no nat-control.
--
Please remember to select a correct answer and rate helpful posts
08-26-2015 01:17 PM
Ended up having to place a no nat rule -
access-list NO_NAT_LEARNING extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
nat (learning) 0 access-list NO_NAT_LEARNING
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide