Smart ACL RuleBase for ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2021 06:24 AM - edited 03-11-2021 03:42 AM
HI,
I have an ASA that has many vpn's terminating to it. The Access list configuration is enormous and im trying to streamline it into something that makes use of service objects to enable a single rule to grant all the access required. Whilst there are some exceptions where a site as additional access for the most part all sites have the base access that enables we, LDAP File share etc. I have managed to implement a streamlined rule on the remote site side however on the core site side i cant get the traffic flowing with streamlined rule set.
This is what I have done so far:
object network Core-Lan
subnet 172.27.0.0 255.255.240.0
object network Thailand-Lan
subnet 10.121.0.0 255.255.0.0
Remote Site: Call It Thailand
object-group service VPN-Ports
service-object tcp-udp destination range 135 139
service-object tcp-udp destination eq 445
service-object tcp-udp destination eq 22
service-object tcp-udp destination eq 443
service-object tcp-udp destination eq 3389
service-object tcp-udp destination eq www
service-object udp destination eq domain
service-object tcp-udp destination eq 88
service-object udp destination eq 389
service-object tcp-udp destination eq 8081
access-list Thailand-Core extended permit object-group VPN-Ports object Thailand-Lan object Core-LAN
On the Remote site this works 100%
On the Core Site I currently have this mess for Thailand It works
access-list Core-Thailand extended permit tcp object Core-Lan eq 3389 object Thailand-Lan
access-list Core-Thailand extended permit icmp object Core-Lan object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq ssh object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq https object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq domain object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq 445 object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq ldap object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq 389 object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq 135 object Thailand-Lan
access-list Core-Thailand extended permit tcp object Core-Lan eq 88 object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq 88 object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq tftp object Thailand-Lan
access-list Core-Thailand extended permit udp object Core-Lan eq 8081 object Thailand-Lan
My intent is to have something that looks like this
object-group service VPN-Ports
service-object tcp-udp destination range 135 139
service-object tcp-udp destination eq 445
service-object tcp-udp destination eq 22
service-object tcp-udp destination eq 443
service-object tcp-udp destination eq 3389
service-object tcp-udp destination eq www
service-object udp destination eq domain
service-object tcp-udp destination eq 88
service-object udp destination eq 389
service-object tcp-udp destination eq 8081
Access-list for Thailand
Access-list For Singapore
Access-List for Malaysia
The above countries all requires the same rule base, currently that takes over 40 lines of access rules for just 3 countries, we have 13 countries terminating. I have tried the following with no success :
access-list Core-Thailand extended permit object-group VPN-Ports object Thailand-Lan object Core-Lan
access-list Core-Thailand extended permit object-group VPN-Ports object Thailand-Lan object-group Core-Lan
access-list Core-Thailand extended permit object-group VPN-Ports object-group Core-Lan object Thailand-Lan
Appreciate your help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2021 12:55 PM
You might want to clarify where you have Core-Thailand ACL applied.Judging by the name it is applied inbound on the inside interface, but then you could not have multiple of these on the same interface. Perhaps applied in the group-policy. Please clarify.
I would venture a guess that you have no hitcnt on the ACE's of access-list Core-Thailand
It would appear you are trying to permit traffic from a server to go back towards the clients.
This is not necessary as when the client connects to the server the ASA will create a state table that automatically permits the return traffic.
Also ...
This
access-list Core-Thailand extended permit tcp object Core-Lan eq 3389 object Thailand-Lan
and this
access-list Core-Thailand extended permit object-group VPN-Ports object Thailand-Lan object Core-Lan
are not the same.
The former will allow traffic from Core-Lan with source port 3389 to flow to the Thailand-Lan.
The latter will allow traffic from Thailand-Lan to Core-Lan with destination ports listed in VPN-Ports.
The reason for the syntax is for the ACL to figure out if the service is udp or tcp since the object group is not a specific tcp or udp service object.
Use packet-tracer to see why your traffic is blocked. It may not work correctly for VPN traffic.
show access-list <access-list-name> to see what entries are getting hits.
Given more info, we may be able to better help with this.
