cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2561
Views
0
Helpful
15
Replies

hi...help in asa

pawanharlecisco
Level 1
Level 1

Hi ,

    please go through the topology attached herewith,

I have configured ASA in transparent mode.At present all traffic is allow vice-versa.

My purpose is to deny traffic for the following Ip address.

source 172.16.1.0 destination 172.16.99.0  action deny

source 172.16.1.0 destination 172.16.100.0  action deny

source 172.16.2.0 destination 172.16.99.0  action deny

source 172.16.2.0 destination 172.16.100.0 action deny

but

source 172.16.99.0 destination 172.16.1.0  action permit

source 172.16.99.0 destination 172.16.1.0  action permit

source 172.16.99.0 destination 172.16.2.0  action permit

source 172.16.99.0 destination 172.16.2.0 action permit

...

Sh run of ASA...

firewall transparent

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

!

interface Ethernet1

nameif inside

security-level 100

!

interface Ethernet2

shutdown

no nameif

no security-level

!

interface Ethernet3

shutdown

no nameif

no security-level

!

interface Ethernet4

shutdown

no nameif

no security-level

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list branch-ctrl extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address 172.16.222.2 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group branch-ctrl in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.222.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:c7cc84788cd9e6bd6104499c6a33d2c6

: end

ASA#

Pawan...

15 Replies 15

varrao
Level 10
Level 10

Hi Pawan,

Yes you can use the access-list to filter the traffic on the interface, there should not be an issue, what is the flow of traffic, from which interface to which interface are you going???

Thanks,

Varun

Thanks,
Varun Rao

Thanks Varun Sir,

                            from outside to inside traffic

Then you access-list would be:

access-list branch-ctrl deny ip 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl deny ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0

.

.

access-list branch-ctrl deny ip 172.16.2.0 255.255.255.0 172.16.100.0 255.255.255.0

access-group branch-ctrl in interface outside

Then you need to delete the ip any any access-list on the outside interface and then add it again, so that it gets added at the bottom of teh access-lists.

You can check it by show access-list

Moreover inside to outside would be permitted by default, so no ACL required for it.

Hope this was helpful.

Thanks,

Varun

Thanks,
Varun Rao

thanks sir,

              as per your suggestion , i have applied the acl but ,communication is stil going on...Please find the sh run after acl applied.

firewall transparent

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

!

interface Ethernet1

nameif inside

security-level 100

!

interface Ethernet2

shutdown

no nameif

no security-level

!

interface Ethernet3

shutdown

no nameif

no security-level

!

interface Ethernet4

shutdown

no nameif

no security-level

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list branch-ctrl extended deny ip 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0

access-list branch-ctrl extended deny ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list branch-ctrl extended deny ip 172.16.2.0 255.255.255.0 172.16.100.0 255.255.255.0

access-list branch-ctrl extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address 172.16.222.2 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group branch-ctrl in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.222.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:c7cc84788cd9e6bd6104499c6a33d2c6

: end

What happens if you remove, ip any any???

-Varun

Thanks,
Varun Rao

If i remove permit ip any any,...then all communication stop working....

and in sh access-list there is not hit...

Can you run this tracer:

packet-tracer input outside tcp 172.16.1.50 2345 172.16.99.55 80 detailed

-Varun

Thanks,
Varun Rao

Actualy my asa is in transparent mode, thats y packet-tracer command is not working...

Please help.....

Hi Pawan,

To troubleshoot this further, we need to take captures on the firewall and check if the packets are coming with the ip address that has been denied on the fw, because I don't think so that firewall would allow the traffic if it already has been denied.

To take the captures:

https://supportforums.cisco.com/docs/DOC-1222

Can you also provide the output of:

show access-list branch-ctrl

Thanks,

Varun

Thanks,
Varun Rao

Thanks sir,

                    Tha out is

ASA# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list branch-ctrl; 3 elements

access-list branch-ctrl line 1 extended deny ip 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0 (hitcnt=0) 0x8cfdcb7b

access-list branch-ctrl line 2 extended deny ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0 (hitcnt=0) 0x233949c5

access-list branch-ctrl line 3 extended deny ip 172.16.2.0 255.255.255.0 172.16.100.0 255.255.255.0 (hitcnt=0) 0x9e85e14b

Hi Varun sir,

                  As u suggested for capture,i did the same.please find the sh-run and capture packets below.And help me sir.

firewall transparent

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

!

interface Ethernet1

nameif inside

security-level 0

!

interface Ethernet2

shutdown

no nameif

no security-level

!

interface Ethernet3

shutdown

no nameif

no security-level

!

interface Ethernet4

shutdown

no nameif

no security-level

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

same-security-traffic permit inter-interface

access-list branch-ctrl extended permit ip host 172.16.1.200 172.16.99.0 255.255.255.                                                                                   0

access-list branch-ctrl extended permit ip 172.16.99.0 255.255.255.0 host 172.16.1.20                                                                                   0

access-list branch-ctrl extended deny ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address 172.16.222.2 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 172.16.222.1 1

route inside 172.16.99.0 255.255.255.0 172.16.222.222 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

prompt hostname context

Cryptochecksum:c7cc84788cd9e6bd6104499c6a33d2c6

: end

ASA#

Capture Output.

108 packets captured

   1: 10:35:18.910536 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

   2: 10:35:18.910597 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

   3: 10:35:20.301742 802.3 encap packet

   4: 10:35:22.167960 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

   5: 10:35:22.168036 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

   6: 10:35:22.259584 802.3 encap packet

   7: 10:35:24.263566 802.3 encap packet

   8: 10:35:26.249712 802.3 encap packet

   9: 10:35:28.199834 802.3 encap packet

  10: 10:35:28.802479 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  11: 10:35:28.802540 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  12: 10:35:30.037672 802.3 encap packet

  13: 10:35:31.439491 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  14: 10:35:31.439567 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  15: 10:35:31.448569 802.3 encap packet

  16: 10:35:33.043042 802.3 encap packet

  17: 10:35:34.586288 802.3 encap packet

  18: 10:35:36.173376 802.3 encap packet

  19: 10:35:36.627744 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  20: 10:35:36.627805 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  21: 10:35:37.861985 802.3 encap packet

  22: 10:35:39.460913 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  23: 10:35:39.460989 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  24: 10:35:39.499791 802.3 encap packet

  25: 10:35:41.167273 802.3 encap packet

  26: 10:35:41.930936 802.3 encap packet

  27: 10:35:42.771246 802.3 encap packet

  28: 10:35:44.415139 802.3 encap packet

  29: 10:35:44.851426 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  30: 10:35:44.851503 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  31: 10:35:46.004623 802.3 encap packet

  32: 10:35:47.432899 802.3 encap packet

  33: 10:35:47.432976 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  34: 10:35:47.433037 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  35: 10:35:48.498646 802.3 encap packet

  36: 10:35:50.045438 802.3 encap packet

  37: 10:35:51.588501 802.3 encap packet

  38: 10:35:52.001266 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  39: 10:35:52.001327 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  40: 10:35:53.080989 802.3 encap packet

  41: 10:35:53.372295 802.3 encap packet

  42: 10:35:54.749289 802.3 encap packet

  43: 10:35:54.789982 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  44: 10:35:54.790059 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  45: 10:35:56.752921 802.3 encap packet

  46: 10:35:58.738365 802.3 encap packet

  47: 10:36:00.681147 802.3 encap packet

  48: 10:36:01.231616 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  49: 10:36:01.231677 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  50: 10:36:02.658642 802.3 encap packet

  51: 10:36:04.628156 802.3 encap packet

  52: 10:36:04.668163 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  53: 10:36:04.668239 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  54: 10:36:06.658321 802.3 encap packet

  55: 10:36:08.618437 802.3 encap packet

  56: 10:36:10.606551 802.3 encap packet

  57: 10:36:11.058544 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  58: 10:36:11.058605 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

  59: 10:36:12.540957 802.3 encap packet

  60: 10:36:14.472921 10.10.1.2 > 172.16.99.1: icmp: echo request

  61: 10:36:14.473287 10.10.1.2 > 172.16.99.1: icmp: echo request

  62: 10:36:14.482305 802.3 encap packet

  63: 10:36:14.516818 172.16.99.1 > 10.10.1.2: icmp: echo reply

  64: 10:36:14.517108 172.16.99.1 > 10.10.1.2: icmp: echo reply

  65: 10:36:14.517261 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  66: 10:36:14.517291 172.16.222.1 > 224.0.0.5:  ip-proto-89, length 48

  67: 10:36:14.579727 10.10.1.2 > 172.16.99.1: icmp: echo request

  68: 10:36:14.579834 10.10.1.2 > 172.16.99.1: icmp: echo request

  69: 10:36:14.608839 172.16.99.1 > 10.10.1.2: icmp: echo reply

  70: 10:36:14.608946 172.16.99.1 > 10.10.1.2: icmp: echo reply

  71: 10:36:14.648648 10.10.1.2 > 172.16.99.1: icmp: echo request

  72: 10:36:14.648754 10.10.1.2 > 172.16.99.1: icmp: echo request

  73: 10:36:14.672725 172.16.99.1 > 10.10.1.2: icmp: echo reply

  74: 10:36:14.672816 172.16.99.1 > 10.10.1.2: icmp: echo reply

  75: 10:36:14.742789 10.10.1.2 > 172.16.99.1: icmp: echo request

  76: 10:36:14.742896 10.10.1.2 > 172.16.99.1: icmp: echo request

  77: 10:36:14.772146 172.16.99.1 > 10.10.1.2: icmp: echo reply

  78: 10:36:14.772237 172.16.99.1 > 10.10.1.2: icmp: echo reply

  79: 10:36:14.848649 10.10.1.2 > 172.16.99.1: icmp: echo request

  80: 10:36:14.848756 10.10.1.2 > 172.16.99.1: icmp: echo request

  81: 10:36:14.868637 172.16.99.1 > 10.10.1.2: icmp: echo reply

  82: 10:36:14.868729 172.16.99.1 > 10.10.1.2: icmp: echo reply

  83: 10:36:16.463766 802.3 encap packet

  84: 10:36:17.078822 10.10.1.2 > 172.16.99.1: icmp: echo request

  85: 10:36:17.079112 10.10.1.2 > 172.16.99.1: icmp: echo request

  86: 10:36:17.120507 172.16.99.1 > 10.10.1.2: icmp: echo reply

  87: 10:36:17.120812 172.16.99.1 > 10.10.1.2: icmp: echo reply

  88: 10:36:17.145744 10.10.1.2 > 172.16.99.1: icmp: echo request

  89: 10:36:17.145866 10.10.1.2 > 172.16.99.1: icmp: echo request

  90: 10:36:17.185781 172.16.99.1 > 10.10.1.2: icmp: echo reply

  91: 10:36:17.185888 172.16.99.1 > 10.10.1.2: icmp: echo reply

  92: 10:36:17.248796 10.10.1.2 > 172.16.99.1: icmp: echo request

  93: 10:36:17.248919 10.10.1.2 > 172.16.99.1: icmp: echo request

  94: 10:36:17.283585 172.16.99.1 > 10.10.1.2: icmp: echo reply

  95: 10:36:17.283707 172.16.99.1 > 10.10.1.2: icmp: echo reply

  96: 10:36:17.349850 10.10.1.2 > 172.16.99.1: icmp: echo request

  97: 10:36:17.349957 10.10.1.2 > 172.16.99.1: icmp: echo request

  98: 10:36:17.383540 172.16.99.1 > 10.10.1.2: icmp: echo reply

  99: 10:36:17.383662 172.16.99.1 > 10.10.1.2: icmp: echo reply

100: 10:36:17.448814 10.10.1.2 > 172.16.99.1: icmp: echo request

101: 10:36:17.448920 10.10.1.2 > 172.16.99.1: icmp: echo request

102: 10:36:17.468878 172.16.99.1 > 10.10.1.2: icmp: echo reply

103: 10:36:17.468969 172.16.99.1 > 10.10.1.2: icmp: echo reply

104: 10:36:18.448844 802.3 encap packet

105: 10:36:20.394968 802.3 encap packet

106: 10:36:20.898925 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

107: 10:36:20.898986 172.16.222.222 > 224.0.0.5:  ip-proto-89, length 60

108: 10:36:22.370738 802.3 encap packet

108 packets shown

Hello Varun sir,

         Please see the captured output and help me..

Regards

pawan

Hi,

The captures does not seem to have anything pertinent in them. With the ACL applied, are you able to ping from 172.16.1.0 to 172.16.99.0?

Regards,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: