02-20-2015 06:57 AM - last edited on 03-25-2019 05:55 PM by ciscomoderator
permit tcp have default reflexive function
why outside in direction also need
access-list 200 permit tcp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255
?
does it mean that this default behavior need both side permit tcp?
if not for default reflexive behavior, why permit tcp in outside in direction that it can not telnet from outside to inside?
if make outside and inside can telnet each other, does it mean that security level of both side should be set 0
inside outside
192.168.2.7 routerA ----- 192.168.2.3-0/0--switch-0/1--192.168.2.3 ------192.168.2.25 ASA 192.168.4.9 ---192.168.4.8 switch 192.168.4.8---- 192.168.4.12 routerB
|
1/0
192.168.2.3
ubuntu
conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.2.25 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.4.9 255.255.255.0
no shut
end
conf t
access-list 100 permit icmp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255 echo log
access-list 100 permit tcp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255
access-group 100 in interface inside
end
conf t
access-list 200 extended permit icmp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255 echo-reply log
access-list 200 permit tcp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255
access-group 200 in interface outside
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end
02-20-2015 09:30 AM
The ASA is stateful for TCP and UDP.
If you telnet from inside to outside and that is allowed then the return traffic is allowed whether you have permitted it in the outside acl or not.
If you telnet from outside to inside then as long as you allow it in your outside acl it will be allowed whether you allow the return back on your inside acl or not.
It is all to do with direction and where you initiate the connection from.
However NAT also plays a part.
In your configuration you only have dynamic PAT setup which means telnet from inside to outside will work.
But if you try to telnet from a lower to a higher security interface you need a static NAT or NAT exemption for the inside IPs which you don't have.
So it is a combination of acls and NAT that allow access through the firewall.
Jon
02-20-2015 09:54 AM
i have tried to not include
access-list 200 permit tcp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255
at the first time setup ASA
result in that inside can not ping outside,
it is different from your answer
this permit tcp in outside in direction is essential
when i add back above permit tcp in outside in direction, it can not ping too, it seems not refresh, i have to restart all setup in order to ping from inside to outside
conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.2.25 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.4.9 255.255.255.0
no shut
end
conf t
access-list 100 permit icmp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255 echo log
access-list 100 permit tcp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255
access-group 100 in interface inside
end
conf t
access-list 200 extended permit icmp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255 echo-reply log
no access-group 200 in interface outside
access-group 200 in interface outside
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end
02-20-2015 02:06 PM
this permit tcp in outside in direction is essential
Are you talking about ping or telnet ?
If it is ping then TCP has nothing to do with it.
If it is telnet then if you have set the firewall up correctly and you telnet from inside to outside you do not need anything in your outside acl for the return traffic to be allowed back in.
That is how stateful firewalls work.
If you are seeing different results it is because you have configured something incorrectly.
Jon
02-21-2015 12:31 PM
after tried , succeed to telnet from inside to outside and not from outside to inside
and succeed to ping from inside to outside and not from outside to inside
all i do is add permit tcp in inside in direction, no permit tcp in outside in direction
and permit icmp echo in inside in direction and echo reply in outside in direction
it seems very easy to set in ASA
02-22-2015 05:34 AM
Basically from your description you saw exactly the right behaviour ie. telnet with TCP worked without a line allowing the traffic back in on the outside whereas ping using ICMP didn't.
That is exactly how a stateful firewall works.
Note that ASAs also support ICMP inspection which adds a sort of stateful checking for ICMP as well.
So you could enable ICMP inspection and remove the echo reply line in your outside acl and it should still work.
Glad you got it working
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide