Global Implicit Rule

moldy7500 · ‎11-25-2011

Hello,

I got a Global Implicit Rule problem with my Cisco ASA 5510. Here's my configuration :

I created a PAT translation so that my web server (group LAN Network) could be accessed from the Internet.

Although every rule seems to be ok, i got a "tcp deny access" when i try to telnet my public IP on port 80 (ping is ok).

Why is there only one Global Implicit Rule, and not one for each Interface (like in the older versions of ASA OS) ?

Do you think my problem comes from this rule ?

Thx !

varrao · ‎11-25-2011

Hi Arnaud,

There is always an implicit deny when going from lower security interface to higher security interface, on your outside interface, if you don't explicitly allow the traffic, it would always be dropped. On your inside interface, you would find the implicit allow ACL, which means traffic would be permitted without any ACL as well. Can you share the access-list that you have on your outside and the server ip address?

Thanks,

Varun

Thanks,
Varun Rao

moldy7500 · ‎11-28-2011

Thank you Varun,

You're right, i forgot to mention that the Outside interface has the lowest security level (0), the DMZ has 50, and the LAN interface has 100.

However, don't you think i explicitly allow traffic from Outside to Inside using this rule (WAN) :

Any LAN-Network/24 tcp permit

Thanks,

Arnaud

cadet alain · ‎11-28-2011

Hi,

It depends which version of Os you're using if this is pre-8.3 then you must specify the natted public address and if its 8.3 or further then you maust specify the inside address that is natted.

Apparently you got no hits for this rule so maybe you are in the former case.

Regards.

Alain

Don't forget to rate helpful posts.

moldy7500 · ‎11-28-2011

Thank you.

Here's my conf file :

Result of the command: "sh run"

: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password uDm2BNQeKvj9OKzj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 172.16.16.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network redirection_Tse
host 172.16.16.1
object service srv_RDP
service tcp source eq 3389 destination eq 3389
object network x.x.x.x

host x.x.x.x

object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service tse tcp
port-object eq 3389
access-list DMZ_access_in extended permit ip any any inactive
access-list DMZ_access_in extended permit icmp any any echo-reply inactive
access-list WAN_access_in extended permit icmp any any echo-reply inactive
access-list WAN_access_in extended permit tcp any interface WAN eq www inactive
access-list WAN_access_in extended permit tcp any object redirection_Tse eq www inactive
access-list LAN_access_in extended permit tcp any interface LAN eq www inactive
access-list LAN_access_in extended permit ip any any inactive
access-list LAN_access_in extended permit icmp any any echo-reply inactive
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (LAN,WAN) source dynamic any interface
nat (DMZ,WAN) source dynamic any interface
!
object network redirection_Tse
nat (LAN,WAN) static interface service tcp www www
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
access-group DMZ_access_in in interface DMZ
access-group global_access global
route WAN 0.0.0.0 0.0.0.0 x1.x1.x1.x1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username renault.adm password 8I/4o9tSbGqZ0RHm encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8867a21d9945a0e425ecfe54201e18d6
: end

As you can see, i deleted all access rules and only let a global one on all interfaces :

any any ip permit

And here's the result i get :

http://img707.imageshack.us/img707/1328/sanstitre2bu.jpg

Thank you.

cadet alain · ‎11-28-2011

Hi,

access-list WAN_access_in extended permit icmp any any echo-reply inactive

So all these lines are inactive so not taken into account so the implicit deny is hit on these ACLs

Taken from the configuration guide:

You can configure global access rules in conjunction with interface access rules, in which case, the specific interface access rules are always processed before the general global access rules.

Regards.

Alain

Don't forget to rate helpful posts.

moldy7500 · ‎11-28-2011

Yes i know that, i inactivated all the rules on purpose, and then i added the global rule (last line of the access list) :

access-list global_access extended permit ip any any

so that the firewall permit any connection on any interface.

But it still doesn't work.

Thanks for your help.

cadet alain · ‎11-28-2011

Hi,

No you didn't inactivate all the rules, you're missing the default implicit deny all at the end of each access-list

And as the interface ACL is parsed before the global one then you are dropping your packets.

Regards.

Alain

Don't forget to rate helpful posts.

moldy7500 · ‎11-28-2011

This default implicit "deny all" does not appear in the configuration ?

How should i process then, to allow temporarily every connection ?

Thank you for your help.

cadet alain · ‎11-28-2011

Hi,

don't apply the interface ACL to outside interface.

Regards.

Alain

Don't forget to rate helpful posts.

moldy7500 · ‎11-28-2011

You mean the Security Level ?

Here's a new test configuration :

http://img408.imageshack.us/img408/568/sanstitre3xmz.jpg

still doesn't work

cadet alain · ‎11-28-2011

Hi,

explain what test is failing and what does sh access-list outputs?

You can also do a packet-tracer or capture packets to see where the problem resides.

Regards.

Alain

Don't forget to rate helpful posts.

moldy7500 · ‎11-28-2011

I put a server on 172.16.16.0/24 interface (172.16.16.1). I activate NAT for this server ==> success, it connects to any website.

But if i try to connect on its 80 port (it's a webserver), although PAT is activated (see conf file) i get a tcp deny access on the ASA.

i'll try sh acces-list tomorrow.

Thx.