Access-Control Issue

chaserf9e · ‎09-22-2014

Our main internet router has two firewall's at our site, one of the asa's is ours the other is a client asa, the client asa has a ipsec tunnel and a riverbed steelhead caching device that goes back to there site in the usa. this is then used by the client to access servers on oursite, the previous network engineer setup the asa's etc.. so that

Client ASA has one of our outside facing ip's lets say (1.1.1.9) we don't have any access or control to this ASA other than knowing that they point 10.10.17.2 to 1.1.1.8 and 10.10.17.3 to 1.1.1.7

there are then the two servers with NAT on our asa that point the servers from 1.1.1.8 to 10.7.0.5 and 1.1.1.7 to 10.7.0.59

as per the picture when a client goes to 10.10.17.3 on there network it goes from the cache device to our asa outside ip 1.1.1.8 (defined on there asa) and then send data and the same for 10.10.17.2. my issue is that i need to block 1.1.1.8 and 1.1.1.7 from the rest of the internet, my thought was that i could just connect differently and use internal ip's over different the space interface i have however for now i need to band aid the problem until it can be coordinated, i therefore tried to block 1.1.1.7 and 1.1.1.8 from the rest of the internet by using the command

access-list 102 deny ip 1.1.1.8 255.255.255.255 any

access-list 102 deny ip 1.1.1.7 255.255.255.255 any

however after i had put this in i ended up with the following in the config

Extended IP access list 102
10 deny ip any any

and as a result 1.1.17 and 1.1.1.8 are still routable from the internet, can anyone give me info on what i am doign wrong

vishal vyas · ‎09-22-2014

Please check your outside access list on ASA.

#access-list outside deny any host 1.1.1.7

#access-list outside deny any host 1.1.1.8

chaserf9e · ‎09-22-2014

will that not also block access from the outside ip of 1.1.1.9 ? i was trying to do it at the router as the firewall is already beyond the point of the internet

vishal vyas · ‎09-22-2014

Here we are just specifying IP address of the 2 servers, (host) word indicate just that particular ip, like we do on router (1.1.1.7 255.255.255.255) is the same thing.

chaserf9e · ‎09-22-2014

thanks but i need "any" apart from 1.1.1.9,

so by doing #access-list outside deny any host 1.1.1.7 that would stop internet traffic going to the server but would also stop the traffic from 1.1.1.9 to 1.1.1.7.

vishal vyas · ‎09-22-2014

access-list outside line 1 extended permit host 1.1.1.9 any

#access-list outside line 2 extended deny any host 1.1.1.7

#access-list outside line 3 extended deny any host 1.1.1.8

chaserf9e · ‎09-22-2014

on the asa ? rather than blocking it prior to getting to the internet vlan 105 that all devices are in?

vishal vyas · ‎09-22-2014

You can block the traffic on vlan 105

but please make sure that first add all the permit statment

ip acceess-list extended TEST permit ip 10.7.0.0 0.0.0.255 any

ip acceess-list extended TEST permit ip 1.1.1.9 0.0.0.255 any

ip acceess-list extended TEST deny ip any host 1.1.1.7

ip acceess-list extended TEST deny ip any host 1.1.1.8

vishal vyas · ‎09-22-2014

add permit any any at the end