11-03-2017 02:43 AM - edited 02-21-2020 06:38 AM
I have trouble blocking SIP traffic that crosses my ASA appliances in both HQ (ASA 5515-X) and Branch (ASA 5510) offices :
The goal is to block all traffic from the IP-Phone 10.1.16.7 to the CUCM1 Subscriber 192.168.150.2 which will make it register with the CUCM2 Subscriber 192.168.156.1.
When I apply the ACL though, traffic still passes through the Branch ASA !
access-list inside_access_in line 1 extended deny ip host 10.1.16.7 host 192.168.150.2 access-group inside_access_in in interface inside
I tried to block the traffic using the HQ ASA and it didn't work either.
Is there something that I am missing while trying this configuration?
ASA version: Branch 9.1(4) & HQ 9.6(2)
UPDATE: I was able to block the traffic using an extended ACL in my LAN Switch.
Solved! Go to Solution.
11-03-2017 10:25 PM
It could be that the ASA already had an existing connection for the traffic after you applied the ACL entry for that phone. Due to order of operations for ASA, if there was an existing connection for that flow the ACL check is skipped. Might be an idea to clear any connections on the ASA for tha phone IP then test.
11-03-2017 03:22 AM
It might help to see the config of the Branch ASA.
One thing to note also is that if you want to block access to only that server you should add another line on your ACL (at end) allowing all other traffic otherwise you will block everything (if applied properly) as there will be an implicit deny at end of ACL.
11-03-2017 03:27 AM
11-03-2017 03:31 AM
Good, can we see output of
sh access-list
and
sh run access-group
What Interfaces are all configured on the ASA?
11-03-2017 04:09 AM
Sorry for the long output. Notice that the ACL in question is the first one applied to the inside interface. Yet SIP traffic is not dropped to 192.168.150.2
ASA# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list inside_access_in; 50 elements; name hash: 0x433a1af1 access-list inside_access_in line 1 extended deny ip host 10.1.16.7 host 192.168.150.2 (hitcnt=14) (inactive) 0x9cca6348 access-list inside_access_in line 2 extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 (hitcnt=34945) 0x0b9bf62f access-list inside_access_in line 2 extended permit ip 10.1.11.0 255.255.255.0 host 213.186.33.20 (hitcnt=22551) 0xa4030b93 access-list inside_access_in line 2 extended permit ip 10.1.11.0 255.255.255.0 host 196.203.145.246 (hitcnt=12122) 0x1e6e399a access-list inside_access_in line 2 extended permit ip 10.1.12.0 255.255.255.0 host 213.186.33.20 (hitcnt=208) 0x06a9a1e7 access-list inside_access_in line 2 extended permit ip 10.1.12.0 255.255.255.0 host 196.203.145.246 (hitcnt=0) 0x312bbdff access-list inside_access_in line 2 extended permit icmp 10.1.11.0 255.255.255.0 host 213.186.33.20 (hitcnt=0) 0xed9093c1 access-list inside_access_in line 2 extended permit icmp 10.1.11.0 255.255.255.0 host 196.203.145.246 (hitcnt=0) 0xb1092ca9 access-list inside_access_in line 2 extended permit icmp 10.1.12.0 255.255.255.0 host 213.186.33.20 (hitcnt=0) 0x154d2d39 access-list inside_access_in line 2 extended permit icmp 10.1.12.0 255.255.255.0 host 196.203.145.246 (hitcnt=0) 0x28ee83d8 access-list inside_access_in line 2 extended permit ip 10.1.11.0 255.255.255.0 host 169.255.68.36 (hitcnt=64) 0x990182fe access-list inside_access_in line 2 extended permit ip 10.1.12.0 255.255.255.0 host 169.255.68.36 (hitcnt=0) 0xbe205c35 access-list inside_access_in line 2 extended permit icmp 10.1.11.0 255.255.255.0 host 169.255.68.36 (hitcnt=0) 0xe003ea90 access-list inside_access_in line 2 extended permit icmp 10.1.12.0 255.255.255.0 host 169.255.68.36 (hitcnt=0) 0x64e9164e access-list inside_access_in line 3 extended permit ip object Stagiaires-Annexe object-group DM_INLINE_NETWORK_3 (hitcnt=0) 0x33d3f6d4 access-list inside_access_in line 3 extended permit ip 10.1.18.0 255.255.255.0 host 192.168.51.254 (hitcnt=0) 0xfe7515f6 access-list inside_access_in line 3 extended permit ip 10.1.18.0 255.255.255.0 host 192.168.66.46 (hitcnt=0) 0x8512f122 access-list inside_access_in line 3 extended permit ip 10.1.18.0 255.255.255.0 host 192.168.1.254 (hitcnt=0) 0x30184d0c access-list inside_access_in line 4 extended deny ip object Stagiaires-Annexe object-group DM_INLINE_NETWORK_9 (hitcnt=0) 0xd712d2b6 access-list inside_access_in line 4 extended deny ip 10.1.18.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0xce112e71 access-list inside_access_in line 4 extended deny ip 10.1.18.0 255.255.255.0 172.16.0.0 255.240.0.0 (hitcnt=0) 0xc4e7471e access-list inside_access_in line 4 extended deny ip 10.1.18.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xaae7fae2 access-list inside_access_in line 5 extended permit ip object Stagiaires-Annexe any (hitcnt=0) 0x2856050e access-list inside_access_in line 5 extended permit ip 10.1.18.0 255.255.255.0 any (hitcnt=0) 0x2856050e access-list inside_access_in line 6 extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_13 (hitcnt=110875440) 0x76b16f78 access-list inside_access_in line 6 extended permit ip 10.1.11.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=2024) 0xbe15fe21 access-list inside_access_in line 6 extended permit ip 10.1.11.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=1962541) 0x35278d2e access-list inside_access_in line 6 extended permit ip 10.1.11.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=48974129) 0x30694537 access-list inside_access_in line 6 extended permit ip 10.1.14.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=0) 0x83e4b91c access-list inside_access_in line 6 extended permit ip 10.1.14.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=384) 0xa799fc8b access-list inside_access_in line 6 extended permit ip 10.1.14.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=792691) 0xc74b52d1 access-list inside_access_in line 6 extended permit ip 10.1.17.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=8600) 0x8db602c2 access-list inside_access_in line 6 extended permit ip 10.1.17.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=2695202) 0x26f9363c access-list inside_access_in line 6 extended permit ip 10.1.17.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=20044188) 0x5ccb45fe access-list inside_access_in line 6 extended permit ip 10.1.15.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=2) 0x1d3e79cb access-list inside_access_in line 6 extended permit ip 10.1.15.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=54) 0x5441d112 access-list inside_access_in line 6 extended permit ip 10.1.15.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=41535) 0x04887959 access-list inside_access_in line 6 extended permit ip 10.1.13.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=0) 0x95cdbdff access-list inside_access_in line 6 extended permit ip 10.1.13.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=234) 0x638ad29c access-list inside_access_in line 6 extended permit ip 10.1.13.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=3365413) 0x8b673be9 access-list inside_access_in line 6 extended permit ip 10.1.12.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=11) 0x2d48f623 access-list inside_access_in line 6 extended permit ip 10.1.12.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=248017) 0x0822d55a access-list inside_access_in line 6 extended permit ip 10.1.12.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=28016714) 0x953638c3 access-list inside_access_in line 6 extended permit ip 10.1.16.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=1166) 0xdff454dc access-list inside_access_in line 6 extended permit ip 10.1.16.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=54644) 0xdf0a50ec access-list inside_access_in line 6 extended permit ip 10.1.16.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=4667891) 0x290c00dc access-list inside_access_in line 7 extended permit ip object Admin-Annexe object Infra-WAN (hitcnt=6375) 0x1d83cbfc access-list inside_access_in line 7 extended permit ip 10.1.11.0 255.255.255.0 172.16.0.0 255.240.0.0 (hitcnt=6375) 0x1d83cbfc access-list inside_access_in line 8 extended permit ip object Internet-Guest-Annexe any (hitcnt=6446725) 0x17e3d7cb access-list inside_access_in line 8 extended permit ip 10.1.17.0 255.255.255.0 any (hitcnt=6446725) 0x17e3d7cb access-list inside_access_in line 9 extended permit ip 10.1.11.0 255.255.255.0 host 5.5.5.1 (hitcnt=125) 0x52a2ee1d access-list inside_access_in line 10 extended permit ip object-group DM_INLINE_NETWORK_4 172.16.0.0 255.240.0.0 (hitcnt=0) 0x01e74645 access-list inside_access_in line 10 extended permit ip host 10.1.11.1 172.16.0.0 255.240.0.0 (hitcnt=0) 0x4c7afb74 access-list inside_access_in line 10 extended permit ip host 10.1.11.2 172.16.0.0 255.240.0.0 (hitcnt=0) 0x43ae0660 access-list inside_access_in line 11 extended permit ip object-group DM_INLINE_NETWORK_14 any (hitcnt=107829) 0x341cad0c access-list inside_access_in line 11 extended permit ip host 10.1.11.10 any (hitcnt=26790) 0x6a6bac63 access-list inside_access_in line 11 extended permit ip host 10.1.11.1 any (hitcnt=73150) 0x751f0645 access-list inside_access_in line 11 extended permit ip host 10.1.11.183 any (hitcnt=7889) 0x45d2ae65 access-list inside_access_in line 12 extended permit ip any any (hitcnt=13289) 0xa925365e access-list outside_access_in; 24 elements; name hash: 0x6892a938 access-list outside_access_in line 1 extended deny object-group TCPUDP host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0x865a7845 access-list outside_access_in line 1 extended deny udp host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0x4dc05507 access-list outside_access_in line 1 extended deny tcp host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0xa50dc3d7 access-list outside_access_in line 2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_2 (hitcnt=32152489) 0xebd09fbf access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.11.0 255.255.255.0 (hitcnt=785) 0xf711f91d access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.14.0 255.255.255.0 (hitcnt=1120) 0x0fe9ec1b access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.17.0 255.255.255.0 (hitcnt=2781) 0x7d999bd7 access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.15.0 255.255.255.0 (hitcnt=3) 0x7be0b6c7 access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.13.0 255.255.255.0 (hitcnt=0) 0xe5a3ecf9 access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.12.0 255.255.255.0 (hitcnt=81) 0xb560da4f access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.16.0 255.255.255.0 (hitcnt=1106) 0x58b226bf access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.11.0 255.255.255.0 (hitcnt=1831669) 0x5a993778 access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.14.0 255.255.255.0 (hitcnt=2257) 0x4faf90c7 access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.17.0 255.255.255.0 (hitcnt=488229) 0xe8018521 access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.15.0 255.255.255.0 (hitcnt=510) 0xca476dd5 access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.13.0 255.255.255.0 (hitcnt=596) 0xa1037fbf access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.12.0 255.255.255.0 (hitcnt=21408) 0xcf765b03 access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.16.0 255.255.255.0 (hitcnt=29652) 0xa840a04c access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.11.0 255.255.255.0 (hitcnt=23560603) 0xf49d924f access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.14.0 255.255.255.0 (hitcnt=504760) 0x9ab61939 access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.17.0 255.255.255.0 (hitcnt=1432644) 0x86752b20 access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.15.0 255.255.255.0 (hitcnt=133040) 0x8d7c6a2b access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.13.0 255.255.255.0 (hitcnt=2061311) 0x79a64ae5 access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.12.0 255.255.255.0 (hitcnt=2006582) 0x0037cfab access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.16.0 255.255.255.0 (hitcnt=73353) 0x1f6662a3 access-list outside_access_in line 3 extended permit ip object Infra-WAN object Admin-Annexe (hitcnt=576182) 0x9e19c570 access-list outside_access_in line 3 extended permit ip 172.16.0.0 255.240.0.0 10.1.11.0 255.255.255.0 (hitcnt=576182) 0x9e19c570 access-list internet_access_in; 5 elements; name hash: 0x463c69d2 access-list internet_access_in line 1 extended permit icmp any any (hitcnt=646225) 0x637a0ab4 access-list internet_access_in line 2 extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 (hitcnt=91) 0x3f274fb9 access-list internet_access_in line 2 extended permit ip host 213.186.33.20 10.1.11.0 255.255.255.0 (hitcnt=82) 0x0aabb91e access-list internet_access_in line 2 extended permit ip host 213.186.33.20 10.1.12.0 255.255.255.0 (hitcnt=1) 0x2885eeeb access-list internet_access_in line 2 extended permit ip host 196.203.145.246 10.1.11.0 255.255.255.0 (hitcnt=8) 0xb5f545de access-list internet_access_in line 2 extended permit ip host 196.203.145.246 10.1.12.0 255.255.255.0 (hitcnt=0) 0x412b1331 access-list outside2_access_in; 24 elements; name hash: 0x6ab55d5f access-list outside2_access_in line 1 extended deny object-group TCPUDP host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0x8ee519f3 access-list outside2_access_in line 1 extended deny udp host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0xdaf9f39e access-list outside2_access_in line 1 extended deny tcp host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0x892950d7 access-list outside2_access_in line 2 extended permit ip object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_NETWORK_12 (hitcnt=367897) 0x33d4ecb3 access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.11.0 255.255.255.0 (hitcnt=0) 0xc196fdd3 access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.14.0 255.255.255.0 (hitcnt=0) 0xb7cea677 access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.17.0 255.255.255.0 (hitcnt=0) 0x9ec867c1 access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.15.0 255.255.255.0 (hitcnt=0) 0xf2e2ee68 access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.13.0 255.255.255.0 (hitcnt=0) 0x8dd7198c access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.12.0 255.255.255.0 (hitcnt=0) 0x18e273b3 access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.16.0 255.255.255.0 (hitcnt=0) 0xa24b68fb access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.11.0 255.255.255.0 (hitcnt=100914) 0x0c9f3d6a access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.14.0 255.255.255.0 (hitcnt=216) 0x38e70b42 access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.17.0 255.255.255.0 (hitcnt=41823) 0x06a4ce4b access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.15.0 255.255.255.0 (hitcnt=0) 0xea595bc0 access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.13.0 255.255.255.0 (hitcnt=121) 0x8aa884a9 access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.12.0 255.255.255.0 (hitcnt=142928) 0x211682db access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.16.0 255.255.255.0 (hitcnt=707) 0x0a0a3b24 access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.11.0 255.255.255.0 (hitcnt=60003) 0xd7877bf4 access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.14.0 255.255.255.0 (hitcnt=806) 0xd5552cf5 access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.17.0 255.255.255.0 (hitcnt=4616) 0x5e9a85a3 access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.15.0 255.255.255.0 (hitcnt=228) 0x91524a60 access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.13.0 255.255.255.0 (hitcnt=408) 0x859e5f61 access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.12.0 255.255.255.0 (hitcnt=9579) 0xb4c55cf0 access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.16.0 255.255.255.0 (hitcnt=5548) 0xe2f594db access-list outside2_access_in line 3 extended permit ip object Infra-WAN object Admin-Annexe (hitcnt=210) 0x77473a8e access-list outside2_access_in line 3 extended permit ip 172.16.0.0 255.240.0.0 10.1.11.0 255.255.255.0 (hitcnt=210) 0x77473a8e ASA# sh run access-group access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group internet_access_in in interface internet access-group outside2_access_in in interface outside2 ASA#
11-03-2017 04:15 AM
It looks like the specific ACL line for your SIP traffic is set to inactive / disabled.
access-list inside_access_in line 1 extended deny ip host 10.1.16.7 host 192.168.150.2 (hitcnt=14) (inactive)
11-03-2017 04:21 AM
I am aware of that, I set it inactive after the test failed.
11-03-2017 05:14 AM
11-03-2017 05:26 AM
I am sure of that because:
1. The phone stays registered with CUCM1, which can be verified on the phone and via CUCM web interface;
2. Traffic passing through ASA is captured with ASDM packet capture.
11-03-2017 10:25 PM
It could be that the ASA already had an existing connection for the traffic after you applied the ACL entry for that phone. Due to order of operations for ASA, if there was an existing connection for that flow the ACL check is skipped. Might be an idea to clear any connections on the ASA for tha phone IP then test.
11-04-2017 12:45 AM
That should be it! I tried again this morning with the Branch ASA and after clearing the connections nothing passes through the appliance. Thanks a lot.
11-04-2017 05:51 AM
Good tip @GRANT3779
When changing ACL, "clear conn" (or at least clear conn for the specific host(s) affected).
When changing NAT rules, "clear xlate".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide