Solved: Failed to block SIP traffic using ACL on ASA

Hamdi Kadri · ‎11-03-2017

I have trouble blocking SIP traffic that crosses my ASA appliances in both HQ (ASA 5515-X) and Branch (ASA 5510) offices :

The goal is to block all traffic from the IP-Phone 10.1.16.7 to the CUCM1 Subscriber 192.168.150.2 which will make it register with the CUCM2 Subscriber 192.168.156.1.

When I apply the ACL though, traffic still passes through the Branch ASA !

access-list inside_access_in line 1 extended deny ip host 10.1.16.7 host 192.168.150.2
access-group inside_access_in in interface inside

I tried to block the traffic using the HQ ASA and it didn't work either.

Is there something that I am missing while trying this configuration?

ASA version: Branch 9.1(4) & HQ 9.6(2)

UPDATE: I was able to block the traffic using an extended ACL in my LAN Switch.

GRANT3779 · ‎11-03-2017

It could be that the ASA already had an existing connection for the traffic after you applied the ACL entry for that phone. Due to order of operations for ASA, if there was an existing connection for that flow the ACL check is skipped. Might be an idea to clear any connections on the ASA for tha phone IP then test.

View solution in original post

GRANT3779 · ‎11-03-2017

It might help to see the config of the Branch ASA.

One thing to note also is that if you want to block access to only that server you should add another line on your ACL (at end) allowing all other traffic otherwise you will block everything (if applied properly) as there will be an implicit deny at end of ACL.

Hamdi Kadri · ‎11-03-2017

Thanks @GRANT3779, the implicit "permit ip any any" is configured already and I have no trouble with that.

GRANT3779 · ‎11-03-2017

Good, can we see output of

sh access-list

and

sh run access-group

What Interfaces are all configured on the ASA?

Hamdi Kadri · ‎11-03-2017

Sorry for the long output. Notice that the ACL in question is the first one applied to the inside interface. Yet SIP traffic is not dropped to 192.168.150.2

ASA# sh access-list 
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list inside_access_in; 50 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended deny ip host 10.1.16.7 host 192.168.150.2 (hitcnt=14) (inactive) 0x9cca6348 
access-list inside_access_in line 2 extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 (hitcnt=34945) 0x0b9bf62f 
  access-list inside_access_in line 2 extended permit ip 10.1.11.0 255.255.255.0 host 213.186.33.20 (hitcnt=22551) 0xa4030b93 
  access-list inside_access_in line 2 extended permit ip 10.1.11.0 255.255.255.0 host 196.203.145.246 (hitcnt=12122) 0x1e6e399a 
  access-list inside_access_in line 2 extended permit ip 10.1.12.0 255.255.255.0 host 213.186.33.20 (hitcnt=208) 0x06a9a1e7 
  access-list inside_access_in line 2 extended permit ip 10.1.12.0 255.255.255.0 host 196.203.145.246 (hitcnt=0) 0x312bbdff 
  access-list inside_access_in line 2 extended permit icmp 10.1.11.0 255.255.255.0 host 213.186.33.20 (hitcnt=0) 0xed9093c1 
  access-list inside_access_in line 2 extended permit icmp 10.1.11.0 255.255.255.0 host 196.203.145.246 (hitcnt=0) 0xb1092ca9 
  access-list inside_access_in line 2 extended permit icmp 10.1.12.0 255.255.255.0 host 213.186.33.20 (hitcnt=0) 0x154d2d39 
  access-list inside_access_in line 2 extended permit icmp 10.1.12.0 255.255.255.0 host 196.203.145.246 (hitcnt=0) 0x28ee83d8 
  access-list inside_access_in line 2 extended permit ip 10.1.11.0 255.255.255.0 host 169.255.68.36 (hitcnt=64) 0x990182fe 
  access-list inside_access_in line 2 extended permit ip 10.1.12.0 255.255.255.0 host 169.255.68.36 (hitcnt=0) 0xbe205c35 
  access-list inside_access_in line 2 extended permit icmp 10.1.11.0 255.255.255.0 host 169.255.68.36 (hitcnt=0) 0xe003ea90 
  access-list inside_access_in line 2 extended permit icmp 10.1.12.0 255.255.255.0 host 169.255.68.36 (hitcnt=0) 0x64e9164e 
access-list inside_access_in line 3 extended permit ip object Stagiaires-Annexe object-group DM_INLINE_NETWORK_3 (hitcnt=0) 0x33d3f6d4 
  access-list inside_access_in line 3 extended permit ip 10.1.18.0 255.255.255.0 host 192.168.51.254 (hitcnt=0) 0xfe7515f6 
  access-list inside_access_in line 3 extended permit ip 10.1.18.0 255.255.255.0 host 192.168.66.46 (hitcnt=0) 0x8512f122 
  access-list inside_access_in line 3 extended permit ip 10.1.18.0 255.255.255.0 host 192.168.1.254 (hitcnt=0) 0x30184d0c 
access-list inside_access_in line 4 extended deny ip object Stagiaires-Annexe object-group DM_INLINE_NETWORK_9 (hitcnt=0) 0xd712d2b6 
  access-list inside_access_in line 4 extended deny ip 10.1.18.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0xce112e71 
  access-list inside_access_in line 4 extended deny ip 10.1.18.0 255.255.255.0 172.16.0.0 255.240.0.0 (hitcnt=0) 0xc4e7471e 
  access-list inside_access_in line 4 extended deny ip 10.1.18.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xaae7fae2 
access-list inside_access_in line 5 extended permit ip object Stagiaires-Annexe any (hitcnt=0) 0x2856050e 
  access-list inside_access_in line 5 extended permit ip 10.1.18.0 255.255.255.0 any (hitcnt=0) 0x2856050e 
access-list inside_access_in line 6 extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_13 (hitcnt=110875440) 0x76b16f78 
  access-list inside_access_in line 6 extended permit ip 10.1.11.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=2024) 0xbe15fe21 
  access-list inside_access_in line 6 extended permit ip 10.1.11.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=1962541) 0x35278d2e 
  access-list inside_access_in line 6 extended permit ip 10.1.11.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=48974129) 0x30694537 
  access-list inside_access_in line 6 extended permit ip 10.1.14.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=0) 0x83e4b91c 
  access-list inside_access_in line 6 extended permit ip 10.1.14.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=384) 0xa799fc8b 
  access-list inside_access_in line 6 extended permit ip 10.1.14.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=792691) 0xc74b52d1 
  access-list inside_access_in line 6 extended permit ip 10.1.17.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=8600) 0x8db602c2 
  access-list inside_access_in line 6 extended permit ip 10.1.17.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=2695202) 0x26f9363c 
  access-list inside_access_in line 6 extended permit ip 10.1.17.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=20044188) 0x5ccb45fe 
  access-list inside_access_in line 6 extended permit ip 10.1.15.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=2) 0x1d3e79cb 
  access-list inside_access_in line 6 extended permit ip 10.1.15.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=54) 0x5441d112 
  access-list inside_access_in line 6 extended permit ip 10.1.15.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=41535) 0x04887959 
  access-list inside_access_in line 6 extended permit ip 10.1.13.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=0) 0x95cdbdff 
  access-list inside_access_in line 6 extended permit ip 10.1.13.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=234) 0x638ad29c 
  access-list inside_access_in line 6 extended permit ip 10.1.13.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=3365413) 0x8b673be9 
  access-list inside_access_in line 6 extended permit ip 10.1.12.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=11) 0x2d48f623 
  access-list inside_access_in line 6 extended permit ip 10.1.12.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=248017) 0x0822d55a 
  access-list inside_access_in line 6 extended permit ip 10.1.12.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=28016714) 0x953638c3 
  access-list inside_access_in line 6 extended permit ip 10.1.16.0 255.255.255.0 172.16.15.0 255.255.255.0 (hitcnt=1166) 0xdff454dc 
  access-list inside_access_in line 6 extended permit ip 10.1.16.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=54644) 0xdf0a50ec 
  access-list inside_access_in line 6 extended permit ip 10.1.16.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=4667891) 0x290c00dc 
access-list inside_access_in line 7 extended permit ip object Admin-Annexe object Infra-WAN (hitcnt=6375) 0x1d83cbfc 
  access-list inside_access_in line 7 extended permit ip 10.1.11.0 255.255.255.0 172.16.0.0 255.240.0.0 (hitcnt=6375) 0x1d83cbfc 
access-list inside_access_in line 8 extended permit ip object Internet-Guest-Annexe any (hitcnt=6446725) 0x17e3d7cb 
  access-list inside_access_in line 8 extended permit ip 10.1.17.0 255.255.255.0 any (hitcnt=6446725) 0x17e3d7cb 
access-list inside_access_in line 9 extended permit ip 10.1.11.0 255.255.255.0 host 5.5.5.1 (hitcnt=125) 0x52a2ee1d 
access-list inside_access_in line 10 extended permit ip object-group DM_INLINE_NETWORK_4 172.16.0.0 255.240.0.0 (hitcnt=0) 0x01e74645 
  access-list inside_access_in line 10 extended permit ip host 10.1.11.1 172.16.0.0 255.240.0.0 (hitcnt=0) 0x4c7afb74 
  access-list inside_access_in line 10 extended permit ip host 10.1.11.2 172.16.0.0 255.240.0.0 (hitcnt=0) 0x43ae0660 
access-list inside_access_in line 11 extended permit ip object-group DM_INLINE_NETWORK_14 any (hitcnt=107829) 0x341cad0c 
  access-list inside_access_in line 11 extended permit ip host 10.1.11.10 any (hitcnt=26790) 0x6a6bac63 
  access-list inside_access_in line 11 extended permit ip host 10.1.11.1 any (hitcnt=73150) 0x751f0645 
  access-list inside_access_in line 11 extended permit ip host 10.1.11.183 any (hitcnt=7889) 0x45d2ae65 
access-list inside_access_in line 12 extended permit ip any any (hitcnt=13289) 0xa925365e 
access-list outside_access_in; 24 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended deny object-group TCPUDP host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0x865a7845 
  access-list outside_access_in line 1 extended deny udp host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0x4dc05507 
  access-list outside_access_in line 1 extended deny tcp host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0xa50dc3d7 
access-list outside_access_in line 2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_2 (hitcnt=32152489) 0xebd09fbf 
  access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.11.0 255.255.255.0 (hitcnt=785) 0xf711f91d 
  access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.14.0 255.255.255.0 (hitcnt=1120) 0x0fe9ec1b 
  access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.17.0 255.255.255.0 (hitcnt=2781) 0x7d999bd7 
  access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.15.0 255.255.255.0 (hitcnt=3) 0x7be0b6c7 
  access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.13.0 255.255.255.0 (hitcnt=0) 0xe5a3ecf9 
  access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.12.0 255.255.255.0 (hitcnt=81) 0xb560da4f 
  access-list outside_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.16.0 255.255.255.0 (hitcnt=1106) 0x58b226bf 
  access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.11.0 255.255.255.0 (hitcnt=1831669) 0x5a993778 
  access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.14.0 255.255.255.0 (hitcnt=2257) 0x4faf90c7 
  access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.17.0 255.255.255.0 (hitcnt=488229) 0xe8018521 
  access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.15.0 255.255.255.0 (hitcnt=510) 0xca476dd5 
  access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.13.0 255.255.255.0 (hitcnt=596) 0xa1037fbf 
  access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.12.0 255.255.255.0 (hitcnt=21408) 0xcf765b03 
  access-list outside_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.16.0 255.255.255.0 (hitcnt=29652) 0xa840a04c 
  access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.11.0 255.255.255.0 (hitcnt=23560603) 0xf49d924f 
  access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.14.0 255.255.255.0 (hitcnt=504760) 0x9ab61939 
  access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.17.0 255.255.255.0 (hitcnt=1432644) 0x86752b20 
  access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.15.0 255.255.255.0 (hitcnt=133040) 0x8d7c6a2b 
  access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.13.0 255.255.255.0 (hitcnt=2061311) 0x79a64ae5 
  access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.12.0 255.255.255.0 (hitcnt=2006582) 0x0037cfab 
  access-list outside_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.16.0 255.255.255.0 (hitcnt=73353) 0x1f6662a3 
access-list outside_access_in line 3 extended permit ip object Infra-WAN object Admin-Annexe (hitcnt=576182) 0x9e19c570 
  access-list outside_access_in line 3 extended permit ip 172.16.0.0 255.240.0.0 10.1.11.0 255.255.255.0 (hitcnt=576182) 0x9e19c570 
access-list internet_access_in; 5 elements; name hash: 0x463c69d2
access-list internet_access_in line 1 extended permit icmp any any (hitcnt=646225) 0x637a0ab4 
access-list internet_access_in line 2 extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 (hitcnt=91) 0x3f274fb9 
  access-list internet_access_in line 2 extended permit ip host 213.186.33.20 10.1.11.0 255.255.255.0 (hitcnt=82) 0x0aabb91e 
  access-list internet_access_in line 2 extended permit ip host 213.186.33.20 10.1.12.0 255.255.255.0 (hitcnt=1) 0x2885eeeb 
  access-list internet_access_in line 2 extended permit ip host 196.203.145.246 10.1.11.0 255.255.255.0 (hitcnt=8) 0xb5f545de 
  access-list internet_access_in line 2 extended permit ip host 196.203.145.246 10.1.12.0 255.255.255.0 (hitcnt=0) 0x412b1331 
access-list outside2_access_in; 24 elements; name hash: 0x6ab55d5f
access-list outside2_access_in line 1 extended deny object-group TCPUDP host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0x8ee519f3 
  access-list outside2_access_in line 1 extended deny udp host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0xdaf9f39e 
  access-list outside2_access_in line 1 extended deny tcp host 192.168.150.2 host 10.1.16.7 eq sip inactive (hitcnt=0) (inactive) 0x892950d7 
access-list outside2_access_in line 2 extended permit ip object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_NETWORK_12 (hitcnt=367897) 0x33d4ecb3 
  access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.11.0 255.255.255.0 (hitcnt=0) 0xc196fdd3 
  access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.14.0 255.255.255.0 (hitcnt=0) 0xb7cea677 
  access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.17.0 255.255.255.0 (hitcnt=0) 0x9ec867c1 
  access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.15.0 255.255.255.0 (hitcnt=0) 0xf2e2ee68 
  access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.13.0 255.255.255.0 (hitcnt=0) 0x8dd7198c 
  access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.12.0 255.255.255.0 (hitcnt=0) 0x18e273b3 
  access-list outside2_access_in line 2 extended permit ip 172.16.15.0 255.255.255.0 10.1.16.0 255.255.255.0 (hitcnt=0) 0xa24b68fb 
  access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.11.0 255.255.255.0 (hitcnt=100914) 0x0c9f3d6a 
  access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.14.0 255.255.255.0 (hitcnt=216) 0x38e70b42 
  access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.17.0 255.255.255.0 (hitcnt=41823) 0x06a4ce4b 
  access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.15.0 255.255.255.0 (hitcnt=0) 0xea595bc0 
  access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.13.0 255.255.255.0 (hitcnt=121) 0x8aa884a9 
  access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.12.0 255.255.255.0 (hitcnt=142928) 0x211682db 
  access-list outside2_access_in line 2 extended permit ip 10.0.0.0 255.0.0.0 10.1.16.0 255.255.255.0 (hitcnt=707) 0x0a0a3b24 
  access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.11.0 255.255.255.0 (hitcnt=60003) 0xd7877bf4 
  access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.14.0 255.255.255.0 (hitcnt=806) 0xd5552cf5 
  access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.17.0 255.255.255.0 (hitcnt=4616) 0x5e9a85a3 
  access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.15.0 255.255.255.0 (hitcnt=228) 0x91524a60 
  access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.13.0 255.255.255.0 (hitcnt=408) 0x859e5f61 
  access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.12.0 255.255.255.0 (hitcnt=9579) 0xb4c55cf0 
  access-list outside2_access_in line 2 extended permit ip 192.168.0.0 255.255.0.0 10.1.16.0 255.255.255.0 (hitcnt=5548) 0xe2f594db 
access-list outside2_access_in line 3 extended permit ip object Infra-WAN object Admin-Annexe (hitcnt=210) 0x77473a8e 
  access-list outside2_access_in line 3 extended permit ip 172.16.0.0 255.240.0.0 10.1.11.0 255.255.255.0 (hitcnt=210) 0x77473a8e 
ASA#   sh run access-group 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group internet_access_in in interface internet
access-group outside2_access_in in interface outside2
ASA#

GRANT3779 · ‎11-03-2017

It looks like the specific ACL line for your SIP traffic is set to inactive / disabled.

access-list inside_access_in line 1 extended deny ip host 10.1.16.7 host 192.168.150.2 (hitcnt=14) (inactive)

Hamdi Kadri · ‎11-03-2017

I am aware of that, I set it inactive after the test failed.

GRANT3779 · ‎11-03-2017

What makes you think that SIP traffic is getting through to CUCM1?

Is it maybe hitting CUCM2 first and then being routed back over the WAN to CUCM1?

Hamdi Kadri · ‎11-03-2017

I am sure of that because:

1. The phone stays registered with CUCM1, which can be verified on the phone and via CUCM web interface;

2. Traffic passing through ASA is captured with ASDM packet capture.

GRANT3779 · ‎11-03-2017

It could be that the ASA already had an existing connection for the traffic after you applied the ACL entry for that phone. Due to order of operations for ASA, if there was an existing connection for that flow the ACL check is skipped. Might be an idea to clear any connections on the ASA for tha phone IP then test.

Hamdi Kadri · ‎11-04-2017

That should be it! I tried again this morning with the Branch ASA and after clearing the connections nothing passes through the appliance. Thanks a lot.

Marvin Rhoads · ‎11-04-2017

Good tip @GRANT3779

When changing ACL, "clear conn" (or at least clear conn for the specific host(s) affected).

When changing NAT rules, "clear xlate".