ASA with Implicit Rule

IrishMann · ‎11-23-2011

Hello All,

I have a 5510 protecting a single MPLS site. I am trying to configure some new rules to allow traffic to flow into the ASA but looking at the logging everything is being denied by a implicit rule.

How can I get past these implicit rules ?

same-security-traffic permit inter-interface

access-list in-out extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list outside_access_in extended permit ip any any

Thanks

Colin

ajay chauhan · ‎11-23-2011

Colin,

Where and in which direction these ACLs are placed ? also need to know what you are seeing in logs.

Thanks

Ajay

cadet alain · ‎11-23-2011

Hi,

the implicit rule is the implicit deny all which is attached by default to traffic flowing from low security level to high security level.To permit some traffic you must create an ACL permitting this traffic like you did( but don't make an explicit permit all at the end otherwise all traffic will be permitted) and apply it to the low level interface inbound with the access-group command.

Regards.

Alain

Don't forget to rate helpful posts.

IrishMann · ‎11-23-2011

Here are my logs

ajay chauhan · ‎11-23-2011

Can you please also post interface configuration ?

Thanks

Ajay

ajay chauhan · ‎11-23-2011

Just wondering if 10.3.331 is one of the interface IP and by rule you cannot ping any interface on either the Pix or the ASA unless it is the interface that is facing you.

IrishMann · ‎11-23-2011

interface Ethernet 0/1

nameif inside

security-level 100

ip address 10.3.0.2 255.255.255.0

interface ethernet 0/0

speed 100

duplex full

nameif outside

security-level 100

ip address 10.3.1.2 255.255.255.0

cadet alain · ‎11-23-2011

Hi,

Can you post the entire config.

Regards.

Alain

Don't forget to rate helpful posts.

IrishMann · ‎11-23-2011

Sure... here is the full config.... nothing too fancy.

ASA Version 8.2(4)

!

enable password g45TCjltcS2oGK2I encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description connected to MPLS ROUTER GIGA0/0

speed 100

duplex full

nameif outside

security-level 100

ip address 10.3.1.2 255.255.255.0

!

interface Ethernet0/1

description connected to INTERNAL switch f1/0/48

nameif inside

security-level 100

ip address 10.3.0.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns server-group DefaultDNS

domain-name**********

same-security-traffic permit inter-interface

access-list in-out extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list outside_access_in extended permit ip any 10.3.0.0 255.255.0.0

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

!

router ospf 1

redistribute static

!

route outside 0.0.0.0 0.0.0.0 10.3.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ACS protocol tacacs+

aaa-server ACS (outside) host 10.0.0.29

key *****

aaa authentication ssh console ACS LOCAL

aaa authentication telnet console ACS LOCAL

aaa accounting ssh console ACS

aaa accounting command privilege 15 ACS

aaa accounting telnet console ACS

http server enable

http 10.3.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.0.57.0 255.255.255.0 outside

telnet timeout 5

ssh 10.0.57.0 255.255.255.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.0.5.17 source outside prefer

webvpn

username 911ab password bRI8ulPB836Ut5JJ encrypted privilege 15

username itmiss password bImuwBDu9t8S0Nje encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:9fbd6638bd309179a31fe938446d30c5

ajay chauhan · ‎11-23-2011

can you change security-level 100 to 0 for outside interface ?