Access list help with ASA 5510 on 8.4(3)

Andy White · ‎02-15-2012

Hello,

I'm setting up 2 x ASA 5510's and have got the failover working and from the trunk port for my sub interfaces which goes into a 3750. Anyway I'm have a bit of a nightmare as I can't get a PC on VLAN 50 with an IP of 172.26.1.222 to access the firewall via the ASDM on 192.168.60.222 or ping it. 172.26.1.222 can ping the interface on the ASA to 172.26.1.1. The packet trace says 172.26.1.222 as allowed to 192.168.60.222 on https but not http

cli error: TCP access denied by ACL from 172.26.1.222/80 to Testl_Live_WAN:192.168.60.222/80

Do I need to add a NAT? NAT's look very different in this version as I'm use to 8.2.

CONFIG:

CiscoASA-5510-Test-1# sh run

: Saved

:

ASA Version 8.4(3)

!

hostname CiscoASA-5510-Test-1

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.60.222 255.255.255.0 standby 192.168.60.223

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.50

vlan 50

nameif Test_Live_WAN

security-level 50

ip address 172.26.1.1 255.255.255.0 standby 172.26.1.249

ospf cost 10

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa843-k8.bin

ftp mode passive

same-security-traffic permit intra-interface

object network Andy

host 192.168.90.11

object service Http

service tcp destination eq www

object service Https

service tcp destination eq https

object-group service Http-Https

service-object tcp destination eq www

service-object tcp destination eq https

access-list Test_Live_WAN_access_in extended permit tcp host 172.26.1.222 host 192.168.60.222 eq https

access-list Test_Live_WAN_access_in extended permit tcp host 172.26.1.222 host 192.168.60.222 eq www

access-list Test_Live_WAN_access_in extended permit icmp any any

access-list Test_Live_WAN_access_in extended deny ip any any

pager lines 24

logging enable

logging timestamp

logging standby

logging buffer-size 200000

logging console critical

logging monitor critical

logging buffered critical

logging trap critical

logging asdm critical

logging facility 16

logging device-id hostname

logging host inside 192.168.21.19

logging message 713167 level critical

logging message 106010 level warnings

mtu inside 1500

mtu Test_Live_WAN 1500

failover

failover lan unit primary

failover lan interface Failover_Interface Ethernet0/3

failover replication http

failover link Failover_Interface Ethernet0/3

failover interface ip Failover_Interface 10.151.27.1 255.255.255.252 standby 10.151.27.2

monitor-interface Test_Live_WAN

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

access-group Test_Live_WAN_access_in in interface Test_Live_WAN

route inside 192.168.90.0 255.255.255.0 192.168.60.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http 192.168.90.11 255.255.255.255 inside

http 172.26.1.222 255.255.255.255 Test_Live_WAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

telnet timeout 5

ssh 192.168.90.11 255.255.255.255 inside

ssh timeout 30

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username bob password 20ooook.. encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

Thanks

Julio Carvajal · ‎02-15-2012

Hello Andy,

Here is the thing:

" The ASA as a security device is not going to allow traffic to a distant interface, so in your case from the inside interface on any host you will not be able to reach the outside ip address ( via icmp,telnet,ssh,asdm,etc). This as a security meassure"

So if you want to connect via ASDM you will need to access the inside interface and not the outside interface, that is why you are seeing the ACL drop

Please rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC