Solved: Hi All ...Guide me to contol traffic using ACl

pawanharlecisco · ‎09-02-2011

Hi,

Please take look of topology attached herewith.

I want to deny this below Lan IP address of Manewada Router to accessing Server connected to L3 switch.

Source Destination Action

172.16.1.0 172.16.99.0 Deny

172.16.2.0 172.16.90.0 Deny

172.16.3.0 172.16.90.0 Deny

172.16.4.0 172.16.90.0 Deny

172.16.99.0 172.16.1.0 Permit

172.16.99.0 172.16.3.0 Permit

172.16.99.0 172.16.4.0 Permit

Any Any Permit

I did the below configuration, but this is blocking two way traffic ...

Please help me to solve this issue.

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 172.16.222.2 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 172.16.111.2 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list branch-ctrl extended permit ip 172.16.99.0 255.255.255.0 any

access-list branch-ctrl extended deny icmp 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended deny icmp 172.16.2.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended deny icmp 172.16.3.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group branch-ctrl in interface outside

!

router ospf 1

network 172.16.111.0 255.255.255.0 area 0

network 172.16.222.0 255.255.255.0 area 0

log-adj-changes

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:f1cb9b8578dc3e36f453a9cd616db34a

: end

mirober2 · ‎09-02-2011

Hi Pawan,

Your ACL should look like this:

access-list branch-ctrl extended deny icmp 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended deny icmp 172.16.2.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended deny icmp 172.16.3.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended permit ip any any

access-group branch-ctrl in interface outside

You also need to add this configuration:

policy-map global_policy
    class inspection_default
         inspect icmp

This will meet all of your requirements. Inbound ICMP traffic from the remote networks will be denied, but your internal servers will still be able to send ICMP traffic to the remote networks. The ICMP inspection will dynamically allow the return traffic through the ACL, only when your internal servers initiate the request.

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎09-02-2011

Hi Pawan,

Your ACL should look like this:

access-list branch-ctrl extended deny icmp 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended deny icmp 172.16.2.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended deny icmp 172.16.3.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended permit ip any any

access-group branch-ctrl in interface outside

You also need to add this configuration:

policy-map global_policy
    class inspection_default
         inspect icmp

This will meet all of your requirements. Inbound ICMP traffic from the remote networks will be denied, but your internal servers will still be able to send ICMP traffic to the remote networks. The ICMP inspection will dynamically allow the return traffic through the ACL, only when your internal servers initiate the request.

Hope that helps.

-Mike

pawanharlecisco · ‎09-02-2011

Hi Mr.Mike

Thanks for the help. It has been done sucessfully by using your suggestion.

Thanks

Pawan