Solved: ASA ACL drop all

Giuseppe9 · ‎06-05-2018

Hello,

I'm trying to configure the ACL on ASA 5505.

I added some Permit Rule on outside interface (what I'm using for the test) but when I use the Packet Tracer on ASDM it say Dropped at "Global (implic rule)"

It does:

- ROUTE-LOOKUP: Ok

- ACCESS-LIST: Ok

- IP-OPTIONS: Ok

- INSPECT: Ok

- HOST-LIMIT: Ok

- ACCESS-LIST: Fail (implicit rule)

What I'm trying is a ping to 8.8.8.8 or an UDP connection to 8.8.8.8 port 53, both fail.

That are my ACLs:

Interface,"#","Enabled","Source","Destination","Service","Action","Hits","Logging","Time","Description"

inside (1 incoming rule),"1","True","any","any","ip","Permit","0","Default","",""

inside (1 outgoing rule),"1","True","any","any","icmp","Permit","0","Default","",""

outside (4 incoming rules),"1","True","any","any","tcp","Permit","210","Default","",""

outside (4 incoming rules),"2","True","any","any","udp","Permit","2696","Default","",""

outside (4 incoming rules),"3","True","any","any","ip","Permit","0","Default","",""

outside (4 incoming rules),"4","True","any","any","icmp","Permit","0","Default","",""

outside (1 outgoing rule),"1","True","any","any","icmp","Permit","0","Default","",""

Global (3 rules),"1","True","any","any","tcp-udp","Permit","687","Default","",""

Global (3 rules),"2","True","any","any","ip","Permit","0","Default","",""

Global (3 rules),"3","","any","any","ip","Deny","","Default","","Implicit rule"

Where am I doing wrong?

- Giuseppe

Giuseppe9 · ‎06-09-2018

Ok, solved using the network object, creating a network object per rules and create a NAT rule from there.

Thanks anyway for your time.

View solution in original post

Francesco Molino · ‎06-05-2018

Hi

I'm sorry, I'm not able to read correctly your table. Can you connect to your asa using ssh and export the config? I need interface, nat and acl configs for now. You can drop your complete file if you want but remove confidential data in it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Giuseppe9 · ‎06-09-2018

Here the running config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.4.201 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 100
 ip address 192.168.3.202 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 2
!
interface Ethernet0/4
 switchport access vlan 2
!
interface Ethernet0/5
 switchport access vlan 2
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_access_out extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_out extended permit icmp any any
access-list global_access extended permit object-group TCPUDP any any
access-list global_access extended permit ip any any
access-list outside_access_in extended permit tcp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ipv6 access-list outside_access_ipv6_in permit icmp6 any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.3.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context

I can ping 8.8.8.8, but the UDP conenction doesn't work (get dropped)

Of course I tried with security level 0 too.

Giuseppe9 · ‎06-09-2018

Ok, I realized that the problem was the NAT.

Now it works so I stepped to the next point, the port forwarding.

I set "permit" all tcp traffic in outside_in and outside_out, Packet Tracer show the simulation as successful, and according to syslog the port forward works good, but with nmap it result as "filtered".

A "show conn detail" show that it is stucked on waiting for SYN ACK:

ciscoasa# sh conn detail
5 in use, 14 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS,
       X - inspected by service module
UDP outside:192.168.3.72/29810 inside:192.168.4.203/40067,
    flags -, idle 2s, uptime 1m18s, timeout 2m0s, bytes 9200
UDP outside:192.168.3.72/29810 inside:192.168.4.203/58745,
    flags -, idle 1m23s, uptime 3m19s, timeout 2m0s, bytes 13800
TCP outside:192.168.3.250/80 outside:212.xx.xx.xx/58484,
    flags SaAB, idle 1s, uptime 2s, timeout 30s, bytes 0

What could be the cause of that ?

I know that the destination host works good, because in the old switch it worked.

Giuseppe9 · ‎06-09-2018

Ok, solved using the network object, creating a network object per rules and create a NAT rule from there.

Thanks anyway for your time.