06-09-2014 11:22 AM - edited 03-11-2019 09:18 PM
I am trying to apply an access list to a internal subnet that is different from the inside address of the ASA.
The ASA Inside network is a 192.168.1.x network. The network that I am trying to apply an access list too is 10.6.150.x
Here is my example config
ASA Version 8.2(1)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 155.155.155.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
object-group network blocked-hosts
network-object host 8.8.8.8
access-list outside_acl extended deny ip object-group blocked-hosts any
access-list inside_acl extended deny ip any object-group blocked-hosts
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_acl in interface outside
access-group inside_acl in interface inside
route outside 0.0.0.0 0.0.0.0 155.155.155.17 1
route inside 10.6.150.0 255.255.255.0 192.168.1.1 1
If I ping host 8.8.8.8 from a 192.168.1.x address the ping is blocked.
If I ping host 8.8.8.8 from a 10.6.150.x the ping is allowed.
Thank you in advance.
06-09-2014 11:46 AM
Based on the partial configuration you've provided, it should be blocked from any host whose path out of the local LANs is trying to go out via the ASA inside interface.
Have you confirmed the traffic from 10.6.150.x is indeed passing through the ASA?
Can you check:
packet-tracer input inside icmp 10.6.150.1 0 0 8.8.8.8
06-09-2014 12:08 PM
The ASA is the only route out of the environment.
I wonder if is a NAT issue. Packet tracers shows a block, but a tracert and ping still work on the client.
cdxasa(config)# packet-tracer input inside icmp 10.6.150.1 0 0 8.8.8.8
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit icmp any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (155.155.155.18 [Interface PAT])
translate_hits = 20238713, untranslate_hits = 1724138
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
tracert 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.6.150.1
2 82 ms 79 ms 83 ms wsip-155-155-155-17.oc.oc.net [155.155.155.17]
3 135 ms 133 ms 138 ms wsip-155-155-132-249.oc.oc..net [155.155.132.249]
4 116 ms 175 ms 31 ms 155.4.15.250
5 194 ms 148 ms 152 ms ip155-4-11-10.oc.oc.net [155.4.11.10]
6 215 ms 212 ms 199 ms dllsbbrj02-ge020.rd.dl.oc.net [155.1.0.149]
7 202 ms 26 ms 50 ms langbbrj01-ge050000804.r2.la.oc.net [155.105.30.
181]
8 3 ms 3 ms 4 ms 216.239.46.40
9 239 ms 251 ms 239 ms 72.14.238.2
10 74 ms 40 ms 41 ms 72.14.239.159
11 50 ms 44 ms 68 ms 64.233.174.129
12 * * * Request timed out.
13 36 ms 55 ms 35 ms google-public-dns-a.google.com [8.8.8.8]
Trace complete.
06-09-2014 12:55 PM
Your traceroute output indicates the traffic is hitting 10.6.150.1 and then on to 155.155.155.17 as hop #2.
I don't see the ASA in that path.
Also, what's that access-list entry "access-list inside_acl extended permit icmp any any" reported by packet-tracer?
06-09-2014 01:47 PM
10.6.150.1 is a vlan IP for the switch that handles internal routing. It is handing all external traffic off to the ASA. 155.155.155.17 is the gateway on the other side of the ASA. I am not sure why the tracert is ommiting the inside addres of the ASA but there is no other way to get out.
The access-list inside_acl extended permit icmp any any is a entry in the ACL on line 2.
The blocked host entry is Line 1.
Doing further testing on this to answer your question I determined that my original question is a bit of a red herring.
My initial problem was trying to resolve a issue with a policy map. Troubleshooting that problem I found that the Access list for the policy was never getting hit. So I reasoned that it was a ACL issue. As a test I set a ping 8.8.8.8 -t on a client in the affected subnet. Then I added 8.8.8.8 to a blocked host rule. When the ping traffic continued I reasoned it was a subnet/ACL issue I described.
Silly me. Because the connection was established prior to adding the deny rule it was not interrupted. Once I stopped the persistent ping, and restarted it, the traffic was properly blocked.
I am left with my original issue, and none the wiser to the source of my problem.
I am trying to set a rate limit on vlan03. The rate limit for colo works as expected. The vlan03 access list is never hit, so I am assuming that is why the policy is not kicking in.
access-list rate_limit_colo_acl extended permit ip host 99.99.99.13 any
access-list rate_limit_colo_acl extended permit ip any host 99.99.99.13
access-list rate_limit_vlan03_acl extended permit ip 10.6.150.0 255.255.255.0 any
access-list rate_limit_vlan03_acl extended permit ip any 10.6.150.0 255.255.255.0
!
class-map rate_limit_colo_map
match access-list rate_limit_colo_acl
class-map rate_vlan03_map
match access-list rate_limit_vlan03_acl
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map policy_rate_limit_map
class rate_limit_colo_map
police output 1000000 5000
police input 1000000 5000
class rate_vlan03_map
police output 10000 3000
police input 10000 3000
!
service-policy global_policy global
service-policy policy_rate_limit_map interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide