03-12-2019 02:22 PM
Hi experts!
I am feeling really humble as I have been troubled with this for several weeks. We updated our domain controllers and this necessitated re-implementing our PKI certificate authentication to our LAN. We have a semi-closed LAN, but allow some outward traffic.
We use Identrust certificates and I have the end-user/personal cert, the intermediate cert and the Root Cert. The latter end-user/personal cert and intermediate suggest the following as the CDP
validation.identrust.com/crl/identrust21ecas21.crl
- this translates to 192.147.157.157 and 192.35.177.153
The intermediate certificate points to crl.disa.mil
I have all three of these "hosts" in a CRL Group which is listed as the 1st entry on the Server VLAN. It gets hits and all of that, but I do not get any success when I run certutil to see (try) what is going on. It always says the attempted get times out and I get CRL server not available.
My definitions are:
object-group network objIdentrustCRL
description identrust CRL locations
network-object object identrust_crl
network-object object identrustCRL2
network-object object CRL_FQDN
network-object object DISAintermediateCRL
My rule is: access-list aclServersIn extended permit tcp object-group objIdentrustCRL any eq www log
Is there something, hopefully obvious, that I am missing here?
thanks for your help
JIm
03-12-2019 08:56 PM
03-13-2019 03:47 AM
Francesco,
The interface is defined as:
interface GigabitEthernet1/3.224
description Servers Network
vlan 224
nameif Servers
security-level 90
The config for interfaces is:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
The ACL entries are:
source = any
destination = objIdentrustCRL
service = tcp/http
port = 80
The ACL gets hits each time I run the certutil....but the response is always a timeout
03-13-2019 05:28 AM
OK, a little more recon. I did a show access-list for my aclServersIN and it showed:
access-list aclServersIN line 1 extended permit tcp any host 192.147.157.157
access-list aclServersIN line 2 extended permit tcp any host 192.35.177.153
access-list aclServersIN line 3 extended permit tcp any host 23.196.105.43
access-list aclServersIN line 4 extended permit tcp any host 192.35.177.69
which appears correct. Then I saw the actual real-time log for this and it showed
access-list aclServersIN permitted tcp Servers/192.168.0.235(56096)->outside/192.35.177.153(80) hitcnt 1 first hit
This looks like it should (to me), but should I not see a "return" entry for the data coming back? Or does it only show the outgoing logs?
03-13-2019 09:07 PM
03-14-2019 03:59 AM
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.03.14 06:52:53 =~=~=~=~=~=~=~=~=~=~=~=
$ tcp 192.168.0.235 12345 192.35.177.153 80 detailpacket-tracer input servers tcp 192.168.0.235 12345 192.35.177$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 20.4.141.2 using egress ifc outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group aclServersIN in interface Servers
access-list aclServersIN extended permit tcp any object-group ObjIdentrustCRL eq www log
object-group network ObjIdentrustCRL
description: Identrust
network-object object Identrust_CRL
network-object object IdentrustCRL2
network-object object DISAintermediateCRL
network-object object ldapeca.identrust.com
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd524b6380, priority=13, domain=permit, deny=false
hits=9, user_data=0x7fcd6056bf40, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=192.35.177.153, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=any
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map Servers-class
match any
policy-map Servers-policy
description Set to allow UDP/SMTP email out of the system
class Servers-class
set connection conn-max 0 embryonic-conn-max 1000 random-sequence-number enable
service-policy Servers-policy interface Servers
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd6d31d7e0, priority=8, domain=conn-set, deny=false
hits=78447519, user_data=0x7fcd6d31b110, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network objServers
nat (Servers,outside) dynamic PatIP
Additional Information:
Dynamic translate 192.168.0.235/12345 to 20.4.141.6/12345
Forward Flow based lookup yields rule:
in id=0x7fcd6d37c5b0, priority=6, domain=nat, deny=false
hits=2191987, user_data=0x7fcd6d37b890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.224, mask=255.255.255.240, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=outside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd6acbced0, priority=0, domain=nat-per-session, deny=false
hits=24138281, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd6bde0a40, priority=0, domain=inspect-ip-options, deny=true
hits=26913387, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=any
Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map Servers-class
match any
policy-map Servers-policy
description Set to allow UDP/SMTP email out of the system
class Servers-class
sfr fail-open
service-policy Servers-policy interface Servers
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd6d319590, priority=73, domain=sfr, deny=false
hits=12224127, user_data=0x7fcd6d319130, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Servers, output_ifc=any
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fcd6d2d1c90, priority=0, domain=user-statistics, deny=false
hits=2492233, user_data=0x7fcd6d1e4f70, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fcd6acbced0, priority=0, domain=nat-per-session, deny=false
hits=24138283, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fcd6ba04e20, priority=0, domain=inspect-ip-options, deny=true
hits=2487786, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fcd6d2d9990, priority=0, domain=user-statistics, deny=false
hits=26740056, user_data=0x7fcd6d1e4f70, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Servers
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 27571343, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Servers
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide