08-26-2011 02:15 AM - edited 03-11-2019 02:17 PM
Hi ,
please go through the topology attached herewith,
I have configured ASA in transparent mode.At present all traffic is allow vice-versa.
My purpose is to deny traffic for the following Ip address.
source 172.16.1.0 destination 172.16.99.0 action deny
source 172.16.1.0 destination 172.16.100.0 action deny
source 172.16.2.0 destination 172.16.99.0 action deny
source 172.16.2.0 destination 172.16.100.0 action deny
but
source 172.16.99.0 destination 172.16.1.0 action permit
source 172.16.99.0 destination 172.16.1.0 action permit
source 172.16.99.0 destination 172.16.2.0 action permit
source 172.16.99.0 destination 172.16.2.0 action permit
...
Sh run of ASA...
firewall transparent
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
!
interface Ethernet1
nameif inside
security-level 100
!
interface Ethernet2
shutdown
no nameif
no security-level
!
interface Ethernet3
shutdown
no nameif
no security-level
!
interface Ethernet4
shutdown
no nameif
no security-level
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list branch-ctrl extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 172.16.222.2 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group branch-ctrl in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.222.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:c7cc84788cd9e6bd6104499c6a33d2c6
: end
ASA#
Pawan...
08-26-2011 02:50 AM
Hi Pawan,
Yes you can use the access-list to filter the traffic on the interface, there should not be an issue, what is the flow of traffic, from which interface to which interface are you going???
Thanks,
Varun
08-26-2011 02:56 AM
Thanks Varun Sir,
from outside to inside traffic
08-26-2011 03:09 AM
Then you access-list would be:
access-list branch-ctrl deny ip 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0
access-list branch-ctrl deny ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0
.
.
access-list branch-ctrl deny ip 172.16.2.0 255.255.255.0 172.16.100.0 255.255.255.0
access-group branch-ctrl in interface outside
Then you need to delete the ip any any access-list on the outside interface and then add it again, so that it gets added at the bottom of teh access-lists.
You can check it by show access-list
Moreover inside to outside would be permitted by default, so no ACL required for it.
Hope this was helpful.
Thanks,
Varun
08-26-2011 03:22 AM
thanks sir,
as per your suggestion , i have applied the acl but ,communication is stil going on...Please find the sh run after acl applied.
firewall transparent
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
!
interface Ethernet1
nameif inside
security-level 100
!
interface Ethernet2
shutdown
no nameif
no security-level
!
interface Ethernet3
shutdown
no nameif
no security-level
!
interface Ethernet4
shutdown
no nameif
no security-level
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list branch-ctrl extended deny ip 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0
access-list branch-ctrl extended deny ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list branch-ctrl extended deny ip 172.16.2.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list branch-ctrl extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 172.16.222.2 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group branch-ctrl in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.222.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:c7cc84788cd9e6bd6104499c6a33d2c6
: end
08-26-2011 03:30 AM
What happens if you remove, ip any any???
-Varun
08-26-2011 03:45 AM
If i remove permit ip any any,...then all communication stop working....
and in sh access-list there is not hit...
08-26-2011 03:47 AM
Can you run this tracer:
packet-tracer input outside tcp 172.16.1.50 2345 172.16.99.55 80 detailed
-Varun
08-26-2011 03:55 AM
Actualy my asa is in transparent mode, thats y packet-tracer command is not working...
08-26-2011 05:03 AM
Please help.....
08-26-2011 06:30 AM
Hi Pawan,
To troubleshoot this further, we need to take captures on the firewall and check if the packets are coming with the ip address that has been denied on the fw, because I don't think so that firewall would allow the traffic if it already has been denied.
To take the captures:
https://supportforums.cisco.com/docs/DOC-1222
Can you also provide the output of:
show access-list branch-ctrl
Thanks,
Varun
08-27-2011 01:27 AM
Thanks sir,
Tha out is
ASA# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list branch-ctrl; 3 elements
access-list branch-ctrl line 1 extended deny ip 172.16.1.0 255.255.255.0 172.16.99.0 255.255.255.0 (hitcnt=0) 0x8cfdcb7b
access-list branch-ctrl line 2 extended deny ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0 (hitcnt=0) 0x233949c5
access-list branch-ctrl line 3 extended deny ip 172.16.2.0 255.255.255.0 172.16.100.0 255.255.255.0 (hitcnt=0) 0x9e85e14b
08-30-2011 03:39 AM
Hi Varun sir,
As u suggested for capture,i did the same.please find the sh-run and capture packets below.And help me sir.
firewall transparent
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
!
interface Ethernet1
nameif inside
security-level 0
!
interface Ethernet2
shutdown
no nameif
no security-level
!
interface Ethernet3
shutdown
no nameif
no security-level
!
interface Ethernet4
shutdown
no nameif
no security-level
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
access-list branch-ctrl extended permit ip host 172.16.1.200 172.16.99.0 255.255.255. 0
access-list branch-ctrl extended permit ip 172.16.99.0 255.255.255.0 host 172.16.1.20 0
access-list branch-ctrl extended deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 172.16.222.2 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.222.1 1
route inside 172.16.99.0 255.255.255.0 172.16.222.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:c7cc84788cd9e6bd6104499c6a33d2c6
: end
ASA#
Capture Output.
108 packets captured
1: 10:35:18.910536 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
2: 10:35:18.910597 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
3: 10:35:20.301742 802.3 encap packet
4: 10:35:22.167960 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
5: 10:35:22.168036 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
6: 10:35:22.259584 802.3 encap packet
7: 10:35:24.263566 802.3 encap packet
8: 10:35:26.249712 802.3 encap packet
9: 10:35:28.199834 802.3 encap packet
10: 10:35:28.802479 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
11: 10:35:28.802540 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
12: 10:35:30.037672 802.3 encap packet
13: 10:35:31.439491 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
14: 10:35:31.439567 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
15: 10:35:31.448569 802.3 encap packet
16: 10:35:33.043042 802.3 encap packet
17: 10:35:34.586288 802.3 encap packet
18: 10:35:36.173376 802.3 encap packet
19: 10:35:36.627744 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
20: 10:35:36.627805 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
21: 10:35:37.861985 802.3 encap packet
22: 10:35:39.460913 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
23: 10:35:39.460989 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
24: 10:35:39.499791 802.3 encap packet
25: 10:35:41.167273 802.3 encap packet
26: 10:35:41.930936 802.3 encap packet
27: 10:35:42.771246 802.3 encap packet
28: 10:35:44.415139 802.3 encap packet
29: 10:35:44.851426 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
30: 10:35:44.851503 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
31: 10:35:46.004623 802.3 encap packet
32: 10:35:47.432899 802.3 encap packet
33: 10:35:47.432976 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
34: 10:35:47.433037 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
35: 10:35:48.498646 802.3 encap packet
36: 10:35:50.045438 802.3 encap packet
37: 10:35:51.588501 802.3 encap packet
38: 10:35:52.001266 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
39: 10:35:52.001327 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
40: 10:35:53.080989 802.3 encap packet
41: 10:35:53.372295 802.3 encap packet
42: 10:35:54.749289 802.3 encap packet
43: 10:35:54.789982 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
44: 10:35:54.790059 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
45: 10:35:56.752921 802.3 encap packet
46: 10:35:58.738365 802.3 encap packet
47: 10:36:00.681147 802.3 encap packet
48: 10:36:01.231616 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
49: 10:36:01.231677 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
50: 10:36:02.658642 802.3 encap packet
51: 10:36:04.628156 802.3 encap packet
52: 10:36:04.668163 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
53: 10:36:04.668239 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
54: 10:36:06.658321 802.3 encap packet
55: 10:36:08.618437 802.3 encap packet
56: 10:36:10.606551 802.3 encap packet
57: 10:36:11.058544 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
58: 10:36:11.058605 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
59: 10:36:12.540957 802.3 encap packet
60: 10:36:14.472921 10.10.1.2 > 172.16.99.1: icmp: echo request
61: 10:36:14.473287 10.10.1.2 > 172.16.99.1: icmp: echo request
62: 10:36:14.482305 802.3 encap packet
63: 10:36:14.516818 172.16.99.1 > 10.10.1.2: icmp: echo reply
64: 10:36:14.517108 172.16.99.1 > 10.10.1.2: icmp: echo reply
65: 10:36:14.517261 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
66: 10:36:14.517291 172.16.222.1 > 224.0.0.5: ip-proto-89, length 48
67: 10:36:14.579727 10.10.1.2 > 172.16.99.1: icmp: echo request
68: 10:36:14.579834 10.10.1.2 > 172.16.99.1: icmp: echo request
69: 10:36:14.608839 172.16.99.1 > 10.10.1.2: icmp: echo reply
70: 10:36:14.608946 172.16.99.1 > 10.10.1.2: icmp: echo reply
71: 10:36:14.648648 10.10.1.2 > 172.16.99.1: icmp: echo request
72: 10:36:14.648754 10.10.1.2 > 172.16.99.1: icmp: echo request
73: 10:36:14.672725 172.16.99.1 > 10.10.1.2: icmp: echo reply
74: 10:36:14.672816 172.16.99.1 > 10.10.1.2: icmp: echo reply
75: 10:36:14.742789 10.10.1.2 > 172.16.99.1: icmp: echo request
76: 10:36:14.742896 10.10.1.2 > 172.16.99.1: icmp: echo request
77: 10:36:14.772146 172.16.99.1 > 10.10.1.2: icmp: echo reply
78: 10:36:14.772237 172.16.99.1 > 10.10.1.2: icmp: echo reply
79: 10:36:14.848649 10.10.1.2 > 172.16.99.1: icmp: echo request
80: 10:36:14.848756 10.10.1.2 > 172.16.99.1: icmp: echo request
81: 10:36:14.868637 172.16.99.1 > 10.10.1.2: icmp: echo reply
82: 10:36:14.868729 172.16.99.1 > 10.10.1.2: icmp: echo reply
83: 10:36:16.463766 802.3 encap packet
84: 10:36:17.078822 10.10.1.2 > 172.16.99.1: icmp: echo request
85: 10:36:17.079112 10.10.1.2 > 172.16.99.1: icmp: echo request
86: 10:36:17.120507 172.16.99.1 > 10.10.1.2: icmp: echo reply
87: 10:36:17.120812 172.16.99.1 > 10.10.1.2: icmp: echo reply
88: 10:36:17.145744 10.10.1.2 > 172.16.99.1: icmp: echo request
89: 10:36:17.145866 10.10.1.2 > 172.16.99.1: icmp: echo request
90: 10:36:17.185781 172.16.99.1 > 10.10.1.2: icmp: echo reply
91: 10:36:17.185888 172.16.99.1 > 10.10.1.2: icmp: echo reply
92: 10:36:17.248796 10.10.1.2 > 172.16.99.1: icmp: echo request
93: 10:36:17.248919 10.10.1.2 > 172.16.99.1: icmp: echo request
94: 10:36:17.283585 172.16.99.1 > 10.10.1.2: icmp: echo reply
95: 10:36:17.283707 172.16.99.1 > 10.10.1.2: icmp: echo reply
96: 10:36:17.349850 10.10.1.2 > 172.16.99.1: icmp: echo request
97: 10:36:17.349957 10.10.1.2 > 172.16.99.1: icmp: echo request
98: 10:36:17.383540 172.16.99.1 > 10.10.1.2: icmp: echo reply
99: 10:36:17.383662 172.16.99.1 > 10.10.1.2: icmp: echo reply
100: 10:36:17.448814 10.10.1.2 > 172.16.99.1: icmp: echo request
101: 10:36:17.448920 10.10.1.2 > 172.16.99.1: icmp: echo request
102: 10:36:17.468878 172.16.99.1 > 10.10.1.2: icmp: echo reply
103: 10:36:17.468969 172.16.99.1 > 10.10.1.2: icmp: echo reply
104: 10:36:18.448844 802.3 encap packet
105: 10:36:20.394968 802.3 encap packet
106: 10:36:20.898925 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
107: 10:36:20.898986 172.16.222.222 > 224.0.0.5: ip-proto-89, length 60
108: 10:36:22.370738 802.3 encap packet
108 packets shown
08-30-2011 09:45 PM
Hello Varun sir,
Please see the captured output and help me..
Regards
pawan
09-08-2011 11:17 AM
Hi,
The captures does not seem to have anything pertinent in them. With the ACL applied, are you able to ping from 172.16.1.0 to 172.16.99.0?
Regards,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: