Solved: access rules seems not following

TECH-JEFF · ‎03-07-2016

Hi, I haven't rebooted the Cisco ASA (our firewall) but might need one since I'm encountering weird stuff. On the interface where our users are running in this policy or access rules. Originally it only has ip service, so when I thought of adding icmp so that we can check by pinging outside ip etc, it worked for me but right after I removed the icmp, weird is that it can still ping a hostname and outside dns server like 8.8.8.8 (Google) etc

Device is Cisco ASA 5520 with OS version 8.2

Thanks

Jeff

Jefferson Co

Aditya Ganjoo · ‎03-07-2016

Hi Jeff,

By design you would not be able to ping ASA outside interface IP from the inside network.

Regards,

Aditya

Please rate helpful posts.

View solution in original post

Aditya Ganjoo · ‎03-07-2016

Hi,

Could you share the access rules configured on the outside interface ?

Regards,

Aditya

Please rate helpful posts.

TECH-JEFF · ‎03-07-2016

fw-01# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside_access_in; 3 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit object-group DM_INLINE_PROTOCOL_2 any any 0xa61db0bd
access-list inside_access_in line 1 extended permit ip any any (hitcnt=205985) 0xa925365e
access-list inside_access_in line 1 extended permit icmp any any (hitcnt=0) 0xd6183fb5
access-list inside_access_in line 2 extended permit icmp any any (hitcnt=0) 0xd6183fb5
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip any any (hitcnt=29) 0x7e78c5c4
access-list dmz_access_in; 2 elements; name hash: 0xde725a72
access-list dmz_access_in line 1 extended permit ip any any (hitcnt=139834) 0xba28b9ac
access-list dmz_access_in line 2 extended permit icmp any any (hitcnt=0) 0xb41d7db6
access-list inside_mpc_1; 1 elements; name hash: 0x99bd69c1
access-list inside_mpc_1 line 1 extended permit ip any vlan0090 255.255.255.0 (hitcnt=0) 0x1900fad0
access-list global_mpc; 1 elements; name hash: 0x2e734f01
access-list global_mpc line 1 extended permit ip any any (hitcnt=116018586) 0x52c4ba82
access-list management_access_in; 2 elements; name hash: 0x4814da18
access-list management_access_in line 1 extended permit ip any any (hitcnt=0) 0x9e85505c
access-list management_access_in line 2 extended permit icmp any any (hitcnt=0) 0x4f73c008
access-list outside-etpi_access_in; 4 elements; name hash: 0xf5758cf2
access-list outside-etpi_access_in line 1 extended permit object-group DM_INLINE_PROTOCOL_3 any host x.x.x.x 0x0c31585e
access-list outside-etpi_access_in line 1 extended permit ip any host x.x.x.x (hitcnt=178) 0xe130b3d0
access-list outside-etpi_access_in line 1 extended permit icmp any host x.x.x.x (hitcnt=0) 0x28c0644d
access-list outside-etpi_access_in line 2 extended permit object-group DM_INLINE_PROTOCOL_1 any any 0x931df8a2
access-list outside-etpi_access_in line 2 extended permit ip any any (hitcnt=38281) 0x7a303a71
access-list outside-etpi_access_in line 2 extended permit icmp any any (hitcnt=0) 0x566bdf50
access-list ra_vpn_access_in; 2 elements; name hash: 0x2ea3c11d
access-list ra_vpn_access_in line 1 extended permit tcp any any eq ssh (hitcnt=0) 0x20ec7d60
access-list ra_vpn_access_in line 2 extended permit tcp any any eq https (hitcnt=0) 0x7fb6781a
access-list inside_mpc; 1 elements; name hash: 0x780b2a26
access-list inside_mpc line 1 extended permit ip vlan0090 255.255.255.0 any (hitcnt=0) 0x5fa0d363
access-list inside_nat0_outbound; 1 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip any vlan0120 255.255.255.0 (hitcnt=0) 0x15fb09b4

Above is the access-list or policies. the x.x.x.x is one of the NAT'ed IP's going outside but we can ignore that for the moment.

Thanks

Jeff

Jefferson Co

Aditya Ganjoo · ‎03-07-2016

Hi,

I see that you are using access-list outside-etpi_access_in line 2 extended permit ip any any

So there is no need of using permit icmp any as the above statement will allow every traffic.

You can use a packet tracer to confirm the access-list that is being hit on the ASA.

Regards,

Aditya

Please rate helpful posts.

TECH-JEFF · ‎03-07-2016

Ok, what I did was remove the ip for the service and just put in domain. I was able to browse but icmp was not working. So I changed it from domain udp/tcp to ip and it worked both, was able to browse and was able to ping.

I now moved to my next issue, if I can ping a website, dns, etc, I'm not sure why I can't ping my ip block. the outside-etpi or ISP1 is our main which has a block of /29. I can ping our gateway (which is the ISP side). If for example his IP is:

GW(ISP): 192.168.67.113 --> pingable

FW port(our side): 192.168.67.114 --> not pingable and the other IP's

Did I miss something in our config?

Thanks

Jeff

Jefferson Co

Aditya Ganjoo · ‎03-07-2016

Hi Jeff,

By design you would not be able to ping ASA outside interface IP from the inside network.

Regards,

Aditya

Please rate helpful posts.

TECH-JEFF · ‎03-07-2016

I see, thanks for the input Aditya and thanks for the patience for a novice like me. So by design, regardless if I NAT'ed a local IP to a WAN IP, it will still be not pingable. What I did was setup a FTP server with a local IP, NAT'ed this local ip for example: 192.168.11.3 to a WAN IP for example: 192.168.67.117 and our gateway is 192.168.67.113.

Thanks

Jeff

Jefferson Co

Aditya Ganjoo · ‎03-07-2016

Hi Jeff,

Only interface IP should not be pingable.

All other IP's should be pingable.

Regards,

Aditya

Please rate helpful posts.

TECH-JEFF · ‎03-07-2016

ok, copy that, so that clarifies everything. The only problem now is that I need to check why I cant ping the other IP's in this block.

Thank you and have a great day ahead!

Jeff

Jefferson Co

Aditya Ganjoo · ‎03-07-2016

Hi Jeff,

Yes you are right.

Regards,

Aditya