Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
327
Views
0
Helpful
6
Replies

acl-help in asa

elite2010
Level 3
Level 3

‎03-08-2016 05:42 PM

Hi,

 

object service testservice

service tcp destination eq 22

 

access-list test_vpn_acl extended permit object testservice object Obj-192.168.100.100 object OBJ_172.x.x.x_28

 

The purpose is to just give access to only port 22 to the  host 192.168.100.100 from these network OBJ_172.x.x.x_28.

but the problem is once i connected  i can access all ports which is not in the access-list

 

So what is wrong with my access list

 

Thanks

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-08-2016 08:04 PM

Try:

access-list test_vpn_acl extended permit object Obj-192.168.100.100 object OBJ_172.x.x.x_28 object testservice 

Or even the simpler:

access-list test_vpn_acl extended permit tcp object Obj-192.168.100.100 object OBJ_172.x.x.x_28 eq 22

0 Helpful

elite2010
Level 3
Level 3
In response to Philip D'Ath

‎03-09-2016 12:26 AM

Hi,

the first one seems syntax is incorrect

access-list test_vpn_acl extended permit object Obj-192.168.100.100 ?

configure mode commands/options:

<cr>

2)


The below one i have created by using asdm
access-list test_vpn_acl extended permit object testservice object Obj-192.168.100.100 object OBJ_172.x.x.x_28.
and i have attached the screenshot of service object
Is there any issue of the open source ports ?

3 ) unfortunately the below acl also give an opportunity to access all ports whic is not permitted 

access-list test_vpn_acl extended permit tcp object Obj-192.168.100.100 object OBJ_172.x.x.x_28 eq 22

4) 

When i run sh test_vpn_acl ,i cannot see any hitcount ?

Thanks

Preview file
9 KB
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to elite2010

‎03-09-2016 01:55 PM

I'm thinking you have an access rule above or below this one granting all access.  Does this ACL show any hits (indicating it has been used)?

You also mention being connected.  Are you by chance connecting via VPN?

0 Helpful

elite2010
Level 3
Level 3
In response to Philip D'Ath

‎03-09-2016 08:12 PM

Hi,

This is the only host i can access , In the same network i have lot of other hosts .

I have a DACL in the ISE , There I permit any any ?

So Do you think DACL taking precedence ?

Since i am not getting any hit count on the acl "test_vpn_acl " .How can i verify which acl asa taking from the log ?

Thanks

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to elite2010

‎03-09-2016 09:30 PM

You didn't mention you were pushing dynamic access lists!

Yes, I think it is probably getting matched first.  Why not just push the access list you want for that user?

0 Helpful

elite2010
Level 3
Level 3
In response to Philip D'Ath

‎03-15-2016 10:05 PM

Hi, 

You were correct  . ise was pushing theacl and  asa took the dacl from the ise .

To test  I removed the  dacl from the ise , this time i thought asa will take acl which is mentioned in the group policy  of the related tunnel group. 

But it did not and i got full access.

Thanks 

0 Helpful
Customers Also Viewed These Support Documents