Re: ASA5550 Access List Question

angerincarnate · ‎11-12-2012

EDIT: If I'm missing something that's required or you just have some questions, just let me know and I'll add the necessary information.

I am trying to set up an ASA5550 so that I can access the servers behind it. Simple.

As of now, I am unable to even create an access-list to allow traffic from my remote IP into the firewall. As far as my level of experience with Cisco firewalls, it's basically zero but I have taken the Cisco CCNAX class and feel that I have a good understanding of the fundamentals. That said, we only dealt with routers and switches, and it's not impossible that I'm missing something that would be totally obvious to most folks on this board. I've used CLI and ASDM with no success.

Here are the relevant parts of the config:

interface GigabitEthernet0/2

description "xxxxxxxxxx"

speed 1000

duplex full

nameif outside

security-level 0

ip address 200.x.x.85 255.255.255.240 standby 200.xx.xx.86

!

interface GigabitEthernet1/0

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.xx.xx.33 255.255.255.224

!

access-list outside_access_in extended permit ip host 70.xx.xx.195 any

access-list outside_access_in extended permit ip host 200.xx.xx.161 host 10.xx.xx.35

access-group outside_access_in in interface outside

In ASDM, when I use the real time log viewer in Debug mode, I get the following when I hit 200.xx.xx.161 with my browser from 70.xx.xx.195:

2

Nov 12 2012

11:16:46

106001

70.xx.xx.195

58759

200.xx.xx.161

80

Inbound TCP connection denied from 70.xx.xx.195/58759 to 200.xx.xx.161/80 flags SYN on interface outside

It's almost like the access-rule isn't even being used by the firewall because it permits exactly the connection I'm trying to make.

Any help will be greatly appreciated.

Next task is to set up a static one-to-one NAT so that I can connect to hosts on the inside interface, but we'll deal with that after we solve this one.

Maykol Rojas · ‎11-12-2012

I was gonna wirte something complicated, but giving the understanding that you have of the firewalls, maybe I wil l keep it simple.

This part:

"Next task is to set up a static one-to-one NAT so that I can connect to hosts on the inside interface"

Is not optional, you need to have it to permit traffic inbound your network, if you are trying to Hit and IP address that is on the outside of the firewall, there has to be a NAT configured so once the ACL is hit, the packet will flow through.

I am assuming you are running version 8.3 or higher, because since there is no NAT configured, the log that you are seeing would be normal at some point.

If the packet gets to the outside interface and it doesnt have any more rules on it. The processing would stop there and it wouldnt even try to match the ACL.

My best shot is for you to build the NAT, then we will worry about the ACL. ( This is mainly because the action on the ACL has to correlate with the translated IP address for version 8.3 and above).

Let me know.

Mike Rojas

Mike

angerincarnate · ‎11-12-2012

First of all, thank you very much for taking the time to respond to my question.

I've already tried setting the static NAT every way from Sunday but none have allowed the packet in.

I'm on 8.2 BTW:

gip1-fw1-1-ord# show ver

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Here's what I have right now:

nat-control

global (outside) 101 interface

static (outside,inside) 10.xx.xx.35 200.xx.xx.161 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 200.xx.xx.81 1

I've tried all combinations of 70.xx.xx.195, 200.xx.xx.161, and 10.xx.xx.35 and nothing is working. If somebody could explain to me how this works, it would be much appreciated.

I've read the documentation over and over and it just doesn't help. Do I only need the one rule to do translations in both directions, does the source IP of the inbound packet never change and therefore never need to be translated when it becomes the source IP on the way out, or does there need to be a rule that translates on the way out as well?

Maykol Rojas · ‎11-12-2012

Ohh but the static is backwards and the interfaces as well.

The translation should be:

static (inside,outside) 200.xx.xx.161 10.xx.xx.35 netmask 255.255.255.255

Why? Simple, the syntax is always like,

(Real Interface, Mapped Interface) Mapped IP, Real IP.

So that being said, the real interface where the host is located is on the inside, so that keyword goes first, then the mapped interface is where the Host is going to be translated (thats the outside) then you put the Mapped IP and the Real IP.

The access list will go like,

access-list outside_access_in permit ip any host 200.xx.xx.161

access-group outside_access_in interface outside.

Have doubts, let me know.

Mike

angerincarnate · ‎11-12-2012

Ok, I'll give that a shot and thanks for the explanation.

The final question is: How do I prevent all IPs except my remote IP (70.xx.xx.195) from accessing the firewall if access-lists have to be associated with NATs in order to even be considered for application to incoming traffic?

Maykol Rojas · ‎11-12-2012

If you are asking that, is because you know the source, if you dont know the source but you would like to limit the resourced, you can permit/deny based on services.

IE

access-list outside_access_in permit tcp any host 200.xx.xx.161 eq 80

That would allow anyone to come but only for port 80 (Web). If you know the source it would be something like this:

access-list outside_access_in permit tcp host xx.xx.xx.xx host 200.xx.xx.161 eq 80

Same concept as CCNA.

This would make a good Example.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807d287e.shtml

Mike

angerincarnate · ‎11-13-2012

Maykol, thank you very much for your help. I ended up creating a remote IPSec VPN to access the host that I needed but I finally did it.