08-14-2012 03:46 AM - edited 03-11-2019 04:42 PM
Hello,
I use the ASDM for lots of work onour ASA, but I want to start using the CLI to add access lists.
I just created a rul onthe ASDM and looked at the syslog server and the command it used was:
access-list outside_access_in line 321 extended permit tcp object-group DM_INLINE_NETWORK_333 host 172.22.1.4 object-group DM_INLINE_TCP_87
On the ASDM all I did was create one rule containing 2 source IP's (192.168.1.10 and 192.168.168.1.20) to get to 172.22.1.4 on ports 80 and 443, how would write this in CLI for one rule, as the ASA seems to create these straneg DM_INLINE groups?
Thanks
Solved! Go to Solution.
08-14-2012 05:06 AM
Hi,
And to answer your actual question of how to write the rule on the CLI, you can do several ways
Option 1.
access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 80
access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 443
access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 80
access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 443
Option 2.
object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)
network-object host 192.168.1.10
network-object host 192.168.1.20
access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 80
access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 443
Option 3.
- This is basically what the ASDM did but with "ugly" object-group names
object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)
network-object host 192.168.1.10
network-object host 192.168.1.20
object-group service HTTP-HTTPS tcp
port-object eq www
port-object eq https
access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 object-group HTTP-HTTPS
- Jouni
08-14-2012 04:55 AM
Hi,
DM_INLINE are object-groups created by the ASDM when you insert more than one IP/network/port into a section in the ASDM configurations
Best way to check what the ASDM does is to do the following
Open ASDM and open the "Tools" in the toolbar and click on "Preferences"
Now check the appropriate box to make it so that ASDM will always preview the CLI format of the configurations to you before sending to the device
Since you checked the inserted command from log I think you probably missed the messages about the ASA creating the object-groups.
Personally I never use ASDM for access rules. I always make the object-groups and ACLs on the CLI side. Same for NAT configurations.
Hope this was helpfull
- Jouni
08-14-2012 05:06 AM
Hi,
And to answer your actual question of how to write the rule on the CLI, you can do several ways
Option 1.
access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 80
access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 443
access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 80
access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 443
Option 2.
object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)
network-object host 192.168.1.10
network-object host 192.168.1.20
access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 80
access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 443
Option 3.
- This is basically what the ASDM did but with "ugly" object-group names
object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)
network-object host 192.168.1.10
network-object host 192.168.1.20
object-group service HTTP-HTTPS tcp
port-object eq www
port-object eq https
access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 object-group HTTP-HTTPS
- Jouni
08-14-2012 06:17 AM
Probably the best reply I have ever had to a forum post, thanks very much!
I'm going to start using this. The only issue I have sometimes is finding access rules in the command line to edit as we have so many, do you have any usefulcommands to use to locate an access list?
Thanks again
08-14-2012 06:37 AM
Hi,
Can you give some example situation where you are facing problems usually?
Here are some command I use when checking access-lists
Also if you are familiar with the packet-tracer on the ASDM side, you can use it on the CLI side too. With the command "packet-tracer". The format is as follows
packet-tracer input
When you issue the command the output on the CLI will mention the access-list line that the traffic matches to and this way can help you locate some access-list statement, if you didnt already find it with the above commands.
Those are the things that I think of right now.
- Jouni
08-16-2012 03:42 AM
My apologies for the delay, I didn't get the auto email reply saying someone has replied.
THis is really useful, the only issue I had was how amend a rule on a line, for example I have loads of rules like this:
access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 80
access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 443
access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 139
How would I add?
access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 445
as it seemed to add it on a new line 178
Packet tracer is great I use this alot and packet capture, but I didn't know you can bind it to your local Wireshark, I normally export and import in to Wireshark.
Thanks
08-16-2012 03:53 AM
Hi,
It seems to me that the 3 lines of ACL that you have copy pasted are actually part of a single ACE which contains object-groups
Notice the "line 177" in each of the lines.
Though still if you use the line number 177 with new configuration it should bump the old line 177 configuration to line 178
To start viewing the access-list in question from line 177 you can do this
show access-list inside_access_in | begin line 177
The first output line in the configuration should be the actual configuration that contains object-groups. If theres an object-group for the services/ports opened you might be able to add the line in question just by adding the port to the same group with the other. (80,139,443)
If you need to add some network or remove some network from that line you need to modify the network-objects under the object-groups.
Also heres a small example of the situation I'm talking about above
object-group network LAN
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
access-list TEST extended permit ip object-group LAN any
access-list TEST; 3 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99
access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c
access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3
access-list TEST; 2 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99
access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3
- Jouni
08-16-2012 03:55 AM
Also I'm not sure how to search for this, but I used one of your search commands to find a rule that contained IP 192.168.20.90 and it didn't find it. But on the ASDM I noticed it was in a group, so I guess it woudl be in one of those DM_INLINE groups.
How woudl I search for an IP in a rule if it is hidden in one of those DM_INLIE groups?
Thanks
08-16-2012 03:59 AM
Hi,
If you use the "show access-list" format of the command it should open up all the object-groups in the ACL.
If you use "show run access-list" format of the command it doesnt show the IP addresses under the object-groups.
Using the access-list I created in the above message as an example:
access-list TEST extended permit ip object-group LAN any
access-list TEST; 3 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99
access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c
access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29
access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide