06-05-2018 12:16 PM - edited 02-21-2020 07:51 AM
Hello,
I'm trying to configure the ACL on ASA 5505.
I added some Permit Rule on outside interface (what I'm using for the test) but when I use the Packet Tracer on ASDM it say Dropped at "Global (implic rule)"
It does:
- ROUTE-LOOKUP: Ok
- ACCESS-LIST: Ok
- IP-OPTIONS: Ok
- INSPECT: Ok
- HOST-LIMIT: Ok
- ACCESS-LIST: Fail (implicit rule)
What I'm trying is a ping to 8.8.8.8 or an UDP connection to 8.8.8.8 port 53, both fail.
That are my ACLs:
Interface,"#","Enabled","Source","Destination","Service","Action","Hits","Logging","Time","Description" |
inside (1 incoming rule),"1","True","any","any","ip","Permit","0","Default","","" |
inside (1 outgoing rule),"1","True","any","any","icmp","Permit","0","Default","","" |
outside (4 incoming rules),"1","True","any","any","tcp","Permit","210","Default","","" |
outside (4 incoming rules),"2","True","any","any","udp","Permit","2696","Default","","" |
outside (4 incoming rules),"3","True","any","any","ip","Permit","0","Default","","" |
outside (4 incoming rules),"4","True","any","any","icmp","Permit","0","Default","","" |
outside (1 outgoing rule),"1","True","any","any","icmp","Permit","0","Default","","" |
Global (3 rules),"1","True","any","any","tcp-udp","Permit","687","Default","","" |
Global (3 rules),"2","True","any","any","ip","Permit","0","Default","","" |
Global (3 rules),"3","","any","any","ip","Deny","","Default","","Implicit rule" |
Where am I doing wrong?
- Giuseppe
Solved! Go to Solution.
06-09-2018 12:36 PM
Ok, solved using the network object, creating a network object per rules and create a NAT rule from there.
Thanks anyway for your time.
06-05-2018 05:09 PM
06-09-2018 02:02 AM - edited 06-09-2018 02:31 AM
Here the running config:
interface Vlan1 nameif inside security-level 100 ip address 192.168.4.201 255.255.255.0 ! interface Vlan2 nameif outside security-level 100 ip address 192.168.3.202 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 switchport access vlan 2 ! interface Ethernet0/3 switchport access vlan 2 ! interface Ethernet0/4 switchport access vlan 2 ! interface Ethernet0/5 switchport access vlan 2 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object-group protocol TCPUDP protocol-object udp protocol-object tcp access-list inside_access_out extended permit icmp any any access-list inside_access_in extended permit ip any any access-list outside_access_out extended permit icmp any any access-list global_access extended permit object-group TCPUDP any any access-list global_access extended permit ip any any access-list outside_access_in extended permit tcp any any access-list outside_access_in extended permit udp any any access-list outside_access_in extended permit ip any any access-list outside_access_in extended permit icmp any any no pager logging enable logging asdm informational mtu outside 1500 mtu inside 1500 ipv6 access-list outside_access_ipv6_in permit icmp6 any any icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside no asdm history enable arp timeout 14400 ! object network obj_any nat (inside,outside) dynamic interface access-group outside_access_in in interface outside access-group outside_access_out out interface outside access-group outside_access_ipv6_in in interface outside access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group global_access global route outside 0.0.0.0 0.0.0.0 192.168.3.200 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.3.0 255.255.255.0 inside http 192.168.3.0 255.255.255.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context
I can ping 8.8.8.8, but the UDP conenction doesn't work (get dropped)
Of course I tried with security level 0 too.
06-09-2018 09:54 AM
Ok, I realized that the problem was the NAT.
Now it works so I stepped to the next point, the port forwarding.
I set "permit" all tcp traffic in outside_in and outside_out, Packet Tracer show the simulation as successful, and according to syslog the port forward works good, but with nmap it result as "filtered".
A "show conn detail" show that it is stucked on waiting for SYN ACK:
ciscoasa# sh conn detail 5 in use, 14 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, M - SMTP data, m - SIP media, n - GUP O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, V - VPN orphan, W - WAAS, X - inspected by service module UDP outside:192.168.3.72/29810 inside:192.168.4.203/40067, flags -, idle 2s, uptime 1m18s, timeout 2m0s, bytes 9200 UDP outside:192.168.3.72/29810 inside:192.168.4.203/58745, flags -, idle 1m23s, uptime 3m19s, timeout 2m0s, bytes 13800 TCP outside:192.168.3.250/80 outside:212.xx.xx.xx/58484, flags SaAB, idle 1s, uptime 2s, timeout 30s, bytes 0
What could be the cause of that ?
I know that the destination host works good, because in the old switch it worked.
06-09-2018 12:36 PM
Ok, solved using the network object, creating a network object per rules and create a NAT rule from there.
Thanks anyway for your time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide