Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1076
Views
0
Helpful
1
Replies

Smart ACL RuleBase for ASA

Gulmira
Level 1
Level 1

‎03-10-2021 06:24 AM - edited ‎03-11-2021 03:42 AM

 

HI,

I have an ASA that has many vpn's terminating to it. The Access list configuration is enormous and im trying to streamline it into something that makes use of service objects to enable a single rule to grant all the access required. Whilst there are some exceptions where a site as additional access for the most part all sites have the base access that enables we, LDAP File share etc. I have managed to implement a streamlined rule on the remote site side however on the core site side i cant get the traffic flowing with streamlined rule set. 

 

This is what I have done so far:

 

object network Core-Lan
subnet 172.27.0.0 255.255.240.0
object network Thailand-Lan
subnet 10.121.0.0 255.255.0.0

 

Remote Site: Call It Thailand

object-group service VPN-Ports
service-object tcp-udp destination range 135 139
service-object tcp-udp destination eq 445
service-object tcp-udp destination eq 22
service-object tcp-udp destination eq 443
service-object tcp-udp destination eq 3389
service-object tcp-udp destination eq www
service-object udp destination eq domain
service-object tcp-udp destination eq 88
service-object udp destination eq 389
service-object tcp-udp destination eq 8081

 

access-list Thailand-Core extended permit object-group VPN-Ports object Thailand-Lan object Core-LAN

 

On the Remote site this works 100%

 

On the Core Site I currently have this mess for Thailand It works

 

access-list Core-Thailand extended permit tcp object Core-Lan eq 3389 object Thailand-Lan
access-list Core-Thailand extended permit icmp object Core-Lan object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq ssh object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq https object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq domain object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq 445 object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq ldap object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq 389 object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq 135 object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq 88 object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq 88 object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq tftp object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq 8081 object Thailand-Lan

 

My intent is to have something that looks like this

object-group service VPN-Ports
service-object tcp-udp destination range 135 139
service-object tcp-udp destination eq 445
service-object tcp-udp destination eq 22
service-object tcp-udp destination eq 443
service-object tcp-udp destination eq 3389
service-object tcp-udp destination eq www
service-object udp destination eq domain
service-object tcp-udp destination eq 88
service-object udp destination eq 389
service-object tcp-udp destination eq 8081

 

Access-list for Thailand

Access-list For Singapore

Access-List for Malaysia

 

The above countries all requires the same rule base, currently that takes over 40 lines of access rules for just 3 countries, we have 13 countries terminating. I have tried the following with no success :

 

access-list Core-Thailand extended permit object-group VPN-Ports object Thailand-Lan object Core-Lan
access-list Core-Thailand extended permit object-group VPN-Ports object Thailand-Lan object-group Core-Lan
access-list Core-Thailand extended permit object-group VPN-Ports object-group Core-Lan object Thailand-Lan

 

Appreciate your help

 

 

0 Helpful
1 Reply 1

Garry Cross
Level 1
Level 1

‎03-24-2021 12:55 PM

You might want to clarify where you have Core-Thailand ACL applied.Judging by the name it is applied inbound on the inside interface, but then you could not have multiple of these on the same interface. Perhaps applied in the group-policy. Please clarify.

 

I would venture a guess that you have no hitcnt on the ACE's of access-list Core-Thailand

It would appear you are trying to permit traffic from a server to go back towards the clients.

This is not necessary as when the client connects to the server the ASA will create a state table that automatically permits the return traffic.

Also ...

This

access-list Core-Thailand extended permit tcp object Core-Lan eq 3389 object Thailand-Lan

and this

access-list Core-Thailand extended permit object-group VPN-Ports object Thailand-Lan object Core-Lan

are not the same.

The former will allow traffic from Core-Lan with source port 3389 to flow to the Thailand-Lan.

The latter will allow traffic from Thailand-Lan to Core-Lan with destination ports listed in VPN-Ports.

The reason for the syntax is for the ACL to figure out if the service is udp or tcp since the object group is not a specific tcp or udp service object.

 

Use packet-tracer to see why your traffic is blocked. It may not work correctly for VPN traffic.

 

show access-list <access-list-name> to see what entries are getting hits.

 

Given more info, we may be able to better help with this.

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card