why both side have tcp permit but only one side is permit to telnet

martlee2 · ‎02-20-2015

permit tcp have default reflexive function

why outside in direction also need

access-list 200 permit tcp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255

?

does it mean that this default behavior need both side permit tcp?

if not for default reflexive behavior, why permit tcp in outside in direction that it can not telnet from outside to inside?

if make outside and inside can telnet each other, does it mean that security level of both side should be set 0

inside outside
192.168.2.7 routerA ----- 192.168.2.3-0/0--switch-0/1--192.168.2.3 ------192.168.2.25 ASA 192.168.4.9 ---192.168.4.8 switch 192.168.4.8---- 192.168.4.12 routerB
|
1/0
192.168.2.3
ubuntu

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.2.25 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.4.9 255.255.255.0
no shut
end
conf t
access-list 100 permit icmp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255 echo log
access-list 100 permit tcp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255
access-group 100 in interface inside
end
conf t
access-list 200 extended permit icmp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255 echo-reply log
access-list 200 permit tcp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255
access-group 200 in interface outside
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end

Jon Marshall · ‎02-20-2015

The ASA is stateful for TCP and UDP.

If you telnet from inside to outside and that is allowed then the return traffic is allowed whether you have permitted it in the outside acl or not.

If you telnet from outside to inside then as long as you allow it in your outside acl it will be allowed whether you allow the return back on your inside acl or not.

It is all to do with direction and where you initiate the connection from.

However NAT also plays a part.

In your configuration you only have dynamic PAT setup which means telnet from inside to outside will work.

But if you try to telnet from a lower to a higher security interface you need a static NAT or NAT exemption for the inside IPs which you don't have.

So it is a combination of acls and NAT that allow access through the firewall.

Jon

martlee2 · ‎02-20-2015

i have tried to not include

access-list 200 permit tcp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255

at the first time setup ASA

result in that inside can not ping outside,

it is different from your answer

this permit tcp in outside in direction is essential

when i add back above permit tcp in outside in direction, it can not ping too, it seems not refresh, i have to restart all setup in order to ping from inside to outside

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.2.25 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.4.9 255.255.255.0
no shut
end
conf t
access-list 100 permit icmp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255 echo log
access-list 100 permit tcp 192.168.2.3 255.255.255.255 192.168.4.8 255.255.255.255
access-group 100 in interface inside
end
conf t
access-list 200 extended permit icmp 192.168.4.8 255.255.255.255 192.168.2.3 255.255.255.255 echo-reply log

no access-group 200 in interface outside
access-group 200 in interface outside
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end

Jon Marshall · ‎02-20-2015

this permit tcp in outside in direction is essential

Are you talking about ping or telnet ?

If it is ping then TCP has nothing to do with it.

If it is telnet then if you have set the firewall up correctly and you telnet from inside to outside you do not need anything in your outside acl for the return traffic to be allowed back in.

That is how stateful firewalls work.

If you are seeing different results it is because you have configured something incorrectly.

Jon

martlee2 · ‎02-21-2015

after tried , succeed to telnet from inside to outside and not from outside to inside

and succeed to ping from inside to outside and not from outside to inside

all i do is add permit tcp in inside in direction, no permit tcp in outside in direction

and permit icmp echo in inside in direction and echo reply in outside in direction

it seems very easy to set in ASA

Jon Marshall · ‎02-22-2015

Basically from your description you saw exactly the right behaviour ie. telnet with TCP worked without a line allowing the traffic back in on the outside whereas ping using ICMP didn't.

That is exactly how a stateful firewall works.

Note that ASAs also support ICMP inspection which adds a sort of stateful checking for ICMP as well.

So you could enable ICMP inspection and remove the echo reply line in your outside acl and it should still work.

Glad you got it working

Jon