Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
1
Replies

Novice ACL Rules Not Quite Right ASA5505

llamaw0rksE
Level 1
Level 1

‎03-13-2012 11:56 AM - edited ‎03-11-2019 03:41 PM

ASDM 6.4ish and ASA 8.4(3)  The good news is after much trial and error I have got to this point.

If I may advise novices on what I have learned:

(1)  (DONT USE ACL manager to make acl rules - use the ACCESS RULES at the top). (otherwise you wont see where to associate firewall rules with interfaces)

(2) You need a default route created to allow  access to the internet from your private lan or dmz (if you have one created).  Basically you have to tell the router what is the next hop for the traffic leaving the router on the outside interface ( I guess most routers default to the ISP gateway - which you will have to manually put in for the cisco unit).

(3) NAT rules (static) or port forwarding for the beginner should be done by nesting the nat rule (embedding) within objects.  This is the easiest way to create them. (avoid doing it manually  its a gonad breaker and you will end up making twice nat rules by accident)

(4) You also need dynamic pat rules so that outgoing traffic is handled appropriately upon return (assuming a number of private hosts and one public WANIP).  The router creates this automatically for you by default for the inside lan)...... I had to figure out how to add one for the dmz).

(5) Traffic flow is first controlled by ACLs then nat rules.  (which in practical terms means you have to ensure acl rules let in the destination port of incoming ports vice the translated.........  for ex   expecting incoming 2121  and then going to translate them to 21 for FTP.   In this case your FW rule will need to pass through 2121  and nat will still do the port forwarding translation)  For my config,

I have success on Lan to Lan traffic, and Lan to Internet Traffic.  I get no traffic inbound. :-(( If I put in a global implicit rule of any allow, just prior to the default global implicit rule any deny, then inbound traffic works. So I am guessing that my ACLs are problemeatic??? 

:

: Saved

:

ASA Version 8.4(3)

!

hostname zyxelbeatsbattlestargalacticaandCisco

enable password SrnWJ82Q9IsDq97j encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 12

!

interface Ethernet0/7

switchport access vlan 12

!

interface Vlan1

no forward interface Vlan12

nameif main-lan

security-level 100

ip address 192.168.24.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ab.abc.def.230 255.255.255.248

!

interface Vlan12

nameif admin-dmz

security-level 100

ip address 192.168.2.1 255.255.255.0

!

ftp mode passive

clock timezone AST -4

clock summer-time ADT recurring

same-security-traffic permit inter-interface

object network obj_any_main-lan

subnet 0.0.0.0 0.0.0.0

description Applied by router ---> SNAT for main lan

object network TrustedInternetUsers

subnet ab.abc.def.0 255.255.255.0

object network Corporate-user

host 555.555.555.98

description Corporate Ojbect for access to TFS, OM

object network -remote-h

subnet 11.111.0.0 255.255.0.0

object network -remote-w

subnet 22.222.222.0 255.255.255.0

object network -remote2

host 33.3.333.4

object network -remote1

host 444.44.444.133

object network ISP-GatewayIP

host ab.abc.def.225

object network VS-pcIP

host 192.168.24.34

object network obj_any-admin-dmz

subnet 0.0.0.0 0.0.0.0

description Used to apply SNAT for DMZ (internet access)

object service input-port

service tcp source eq www destination eq www

object service OM1

service tcp source eq 5080 destination eq 5080

object service OM2

service tcp source eq 8088 destination eq 8088

object service OM3

service tcp source eq https destination eq https

object service TFS

service tcp source eq 8080 destination eq 8080

object service RDP

service tcp source eq 3389 destination eq 3389

object service RouterAdmin

service tcp source eq 33349 destination eq 33349

object network NAT4OM3

host 192.168.24.34

object network NAT4OM1

host 192.168.24.34

object network NAT4OM2

host 192.168.24.34

object network NAT4RDP

host 192.168.24.34

object network NAT4TFS

host 192.168.24.34

object network NAT4WWW2OM1

host 192.168.24.34

object-group network Router-Admin

description Remote access to adjust router settings

network-object object -remote1

network-object object TrustedInternetUsers

object-group network TFS-usergroup

description Agilegroup Access TFS, Open Meetings and RDP

network-object object TrustedInternetUsers

network-object object -remote-h

network-object object -remote-w

network-object object -remote1

network-object object -remote2

object-group service OMServiceGroup

service-object object OM1

service-object object OM2

service-object object OM3

object-group service CorporateServiceGroup

service-object object OM2

service-object object input-port

service-object object OM3

access-list outside_access_in remark Access to VS-TFS

access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP

access-list outside_access_in remark Access to Open Meetings

access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP

access-list outside_access_in remark remote access to VS

access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP

pager lines 24

logging asdm informational

mtu main-lan 1500

mtu outside 1500

mtu admin-dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any_main-lan

nat (main-lan,outside) dynamic interface

object network obj_any-admin-dmz

nat (admin-dmz,outside) dynamic interface

object network NAT4OM3

nat (main-lan,outside) static interface service tcp https https

object network NAT4OM1

nat (main-lan,outside) static interface service tcp 5080 5080

object network NAT4OM2

nat (main-lan,outside) static interface service tcp 8088 8088

object network NAT4RDP

nat (main-lan,outside) static interface service tcp 3389 3389

object network NAT4TFS

nat (main-lan,outside) static interface service tcp 8080 8080

object network NAT4WWW2OM1

nat (main-lan,outside) static interface service tcp 5080 www

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable 33349

http server session-timeout 60

http 192.168.2.0 255.255.255.0 admin-dmz

http 192.168.24.0 255.255.255.0 main-lan

http 444.44.444.133 255.255.255.255 outside

http ab.abc.def.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.24.0 255.255.255.0 main-lan

ssh 444.44.444.133 255.255.255.255 outside

ssh ab.abc.def.0 255.255.255.0 outside

ssh 192.168.2.0 255.255.255.0 admin-dmz

ssh timeout 10

ssh version 2

console timeout 0

dhcpd address 192.168.24.5-192.168.24.10 main-lan

dhcpd dns 66.666.6.96 66.666.6.97 interface main-lan

dhcpd enable main-lan

!

dhcpd dns 66.666.6.96 66.666.6.97 interface outside

!

dhcpd address 192.168.2.5-192.168.2.10 admin-dmz

dhcpd dns 66.666.6.96 66.666.6.97 interface admin-dmz

dhcpd enable admin-dmz

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 209.87.233.53 source outside

webvpn

username user5 password Xl5915GPBhncsPAQ encrypted

username user3 password mAVJxjP/lM8yc59F encrypted

username user4 password w7V/UFyrOwnQknqm encrypted

username user2 password .NJvJ7zi.ROsatP7 encrypted

username user1 password OZCdJRBWiCmcaFZ. encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b8135c36da331e34243baa55a8fe8c5a

: end

no asdm history enabl

Labels:
0 Helpful
1 Reply 1

llamaw0rksE
Level 1
Level 1

‎03-14-2012 06:12 AM

Bump and two questions:

(1) Object rules, I probably dont need both source and destination ports so is it just either source or destination?  These are for ports people on the outisde will be using to approach the router.  Of all my incoming  ports, I am only changing one port number (as per the nat rule ending   "5080 https",  since one set of users can get out of their own corporate situation on port 80 and not 5080.

object service input-port service tcp source eq www destination eq www

object service OM1 service tcp source eq 5080 destination eq 5080

(associated nat rule: object network NAT4WWW2OM1 nat (main-lan,outside) static interface service tcp 5080 www)

Should it be??

object service input-port service tcp source eq www
object service OM1 service tcp source eq 5080

2.  ACL rule structure looks funny in that i have grouped many things and I am following the instructions and bouncing adsm ball but how come my service group or service group object is in the middle of the rule whereas all the examples I see show them at the end???


access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP

access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP

should it be???

access-list outside_access_in extended permit object Corporate-user object VS-pcIP object TFS

access-list outside_access_in extended permit object-group TFS-usergroup object VS-pcIP object-group OMServiceGroup

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card