ASA ACL problem

Jean-Francois Gagnon · ‎12-21-2011

I don't know what's wrong with this:

Doing

access-list outside_access_in extended permit tcp any interface outside eq www

is working but this:

access-list outside_access_in extended permit tcp 172.12.33.0 255.255.255.0 interface outside eq www

is not working.

I've double checked the ip and I can even see it as the source ip in the log.

Why is the ASA do not recognise this ACL when the source ip is written?

Thanks!

Julio Carvajal · ‎12-21-2011

Hello Jean,

Is 172.12.33.0 subnet reachable for the ASA via the outside interface?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jean-Francois Gagnon · ‎12-21-2011

Yes it's my public IP.

I can see in the log that the ASA really identified it as the source IP trying to connect to it

Julio Carvajal · ‎12-21-2011

Hello Jean,

Ok, so can you share your configuration so I can let you know why this is now working.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jean-Francois Gagnon · ‎12-21-2011

It's only working with ANY source in the ACL.

if I put in my IP, it's not working.

And I'm truly sure the IP is good.

Julio Carvajal · ‎12-21-2011

Hello Jean,

Can you post the running-configuration ( With some changes due to your own newtork security) We need to see what you want to acomplish, check the nat statements, access-group,complete ACLs,etc.

Ok so the network 172.12.33.0 /16 on the outside security zone is trying to access on port 80 the outside interface and its not working unless you configure the ACL with the tcp any interface outside.

Can you also share the following packet-tracer output:

packet-tracer input outside tcp 172.12.33.15 1025 x.x.x.x (outside ip address) 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jean-Francois Gagnon · ‎12-29-2011

I'll give you the part you'd need.

access-list outside_access_in extended permit tcp host 102.51.88.50 host 201.223.12.226 eq www <-- This won't work
access-list outside_access_in extended permit tcp host 102.251.177.74 host 201.223.12.226 eq www <- This won'T work
access-list outside_access_in extended permit tcp host 51.231.212.98 host 201.223.12.226 eq www <- THis won't work
access-list outside_access_in extended permit tcp host 211.222.31.194 host 201.223.12.226 eq www <-- This won't work

access-list outside_access_in extended permit tcp 23.111.101.0 255.255.255.0 host 201.223.12.226 eq www <-- This won't work

access-list outside_access_in extended permit tcp any host 201.223.12.226 eq www <-- This work correctly

static (inside,outside) tcp interface www PBX www netmask 255.255.255.255

If I only put the ACL that does'nt work, it jumps directly to the "access-list outside_access_in extended deny"

Julio Carvajal · ‎12-29-2011

Hello,

Okay, lets do the following

Lets leave just the ACL withouth the tcp any any.

access-list outside_access_in extended permit tcp 23.111.101.0 255.255.255.0 host 201.223.12.226 eq www

Lets create a capture ( For that you will need to generate some traffic from 23.111.101.x host)

access-list capout permit tcp host 23.111.101.x host 201.223.12.226 eq 80

access-list capout permit tcp host 201.223.12.223 eq 80 host 23.111.101.x

access-list capin permit tcp host 23.111.101.x host PBX eq 80

access-list capin permit tcp host PBX eq 80 host 23.111.101.x

capture capin access-list capin interface inside

capture capout access-list capout interface outside

capture asp type asp-drop all.

Now generate the traffic

Then provide the following data

sh asp | include 23.11.101.x

Go to a browser : https://inside_interface_ip_address/capture/capin/pcap

https://inside_interface_ip_address/capture/capout/pcap

And upload to this discussion the files

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC