cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
0
Helpful
6
Replies

Implementing Access lists on ASA

garrfen12
Level 1
Level 1

Hi All,

I am relatively new to ASA. We currently have an ASA device which I have configured to work with ssl using Cisco AnyConnect or webvpn.

Basically all is working fine, from any mobile device I can connect to the ASA and authenticate using a RADIUS server on the LAN.

So far so good.

Now I would like to start restricting the traffic flowing over my LAN to https to a particular host

So currently have Internal interface (LAN) and External interface (WAN)

What I did was the following:

access-list Inside_Out extended permit tcp AnyConnect-Network 255.255.255.0 host MT-APP013 eq https

access-list Inside_Out extended permit udp any host MT-APP013 object-group DM_INLINE_UDP_1

Then I assigned the access list to the interface as follows:

access-group Inside_Out out interface Internal

Now this is the part where I get slightly confused IN is anything towards the ASA and out is anything leaving.

So I decided that the correct location would be to attach to the out of the internal interface.

However all traffic still passes and rules are not matched.

Can anyone guide me to what I am doing wrong?

Garreth

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Depending on your current amount of different VPN connections you could also do the following

You could disable the setting that by default allows ALL connections through the ASA when they are coming through VPN connection. You could disable this setting and start controlling connections on the "outside" interfaces "in" direction ACL.

This would be changed with the command

no sysopt connection permit-vpn

What you should notice here is ofcourse the fact that if you arent already using the above setting then you would have to first create the ACL rules on the "outside" interface ACL and then issue the above command so you dont start blocking some connections from VPN connections to your LAN.

I find this solution easy to manage since you use the same "outside" interface ACL both to control traffic from the Internet and from VPN Client users or remote sites connecting through L2L VPN for example.

- Jouni

Hi Jouni,

Thanks for your prompt reply.

I did not find the sysopt in the ASA config, hence it must be enabled by default. Once applying the no sysopt as recommended all traffic was blocked.

I implemented the following access list

access-list Outside_In extended permit tcp any host MT-APP013 eq https

access-group Outside_In in interface External

However now I cannot access anything and getting the following in ASDM log.

6|May 23 2013|14:31:16|302014|10.42.66.57|45710|MT-APP013|443|Teardown TCP connection 21372 for External:10.42.66.57/45710 to Internal:MT-APP013/443 duration 0:00:02 bytes 4018 TCP Reset-O (fenechga)

6|May 23 2013|14:31:14|302013|10.42.66.57|45710|MT-APP013|443|Built inbound TCP connection 21372 for External:10.42.66.57/45710 (10.42.66.57/45710) to Internal:MT-APP013/443 (MT-APP013/443) (fenechga)

6|May 23 2013|14:31:14|302014|10.42.66.57|46590|MT-APP013|443|Teardown TCP connection 21371 for External:10.42.66.57/46590 to Internal:MT-APP013/443 duration 0:00:02 bytes 4027 TCP Reset-O (fenechga)

6|May 23 2013|14:31:11|302013|10.42.66.57|46590|MT-APP013|443|Built inbound TCP connection 21371 for External:10.42.66.57/46590 (10.42.66.57/46590) to Internal:MT-APP013/443 (MT-APP013/443) (fenechga)

Garreth

Hi,

Those messages would point to a situation where the actual VPN Clients computer is sending a TCP Reset for the connection.

Remember that since you are using an ACL that is attached to the outside interface that incase you are using a public destination IP address you would be now opening HTTPS for both all VPN users and all Internet users.

I guess you are using some "name" configuration for the IP address of the server since I cant see its IP address in the logs or in the configurations earlier.

Have you reconnected the VPN client connection after the configuration change? I dont know if it has anything to do with this. It doesnt seem to but just a thought.

Naturally seeing some configurations would help confirm the firewall setting but it would indeed seem that the host is causing the TCP Connection to Reset. And its strange that its done right away after 2 seconds.

- Jouni

Hi Jouni,

This ASA is being used strictly for AnyConnect access from mobile devices towards a Lotus Notes server. So no internal clients access the internet via this device.

I am attaching the configuration below for your review.

: Saved

: Written by administrator at 15:32:41.336 CEDT Thu May 23 2013

!

ASA Version 8.2(5)

!

hostname qrm-asaext-1

domain-name xx.xxx.com

enable password xxxxx encrypted

passwd xxxxx encrypted

names

name 10.42.64.0 Servers

name 10.42.84.0 TRDG

name 10.42.66.0 AnyConnect-Network description Traveler Clients

name 10.42.68.10 MT-APP013 description Traveler Server

!

interface Ethernet0/0

nameif Internal

security-level 0

ip address 10.42.68.2 255.255.255.0

!

interface Ethernet0/1

nameif External

security-level 0

ip address 194.xxx.xx.xx 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.42.71.50 255.255.255.0

management-only

!

banner exec --------------------------------------------------------------------------------------

banner exec Warning!

banner exec --------------------------------------------------------------------------------------

banner login --------------------------------------------------------------------------------------

banner login Warning!

banner login --------------------------------------------------------------------------------------

banner asdm --------------------------------------------------------------------------------------

banner asdm Warning!

banner asdm --------------------------------------------------------------------------------------

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup Internal

dns server-group DefaultDNS

name-server 10.42.64.14

domain-name xx.xxx.com

access-list Outside_In extended permit tcp any host MT-APP013 eq https

access-list Traveler_Traffic standard permit 10.42.68.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging host management 10.42.64.4

mtu Internal 1500

mtu External 1500

mtu management 1500

ip local pool Traveller_Pool 10.42.66.50-10.42.66.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm location Servers 255.255.254.0 management

asdm location TRDG 255.255.255.0 management

asdm location MT-APP013 255.255.255.255 management

no asdm history enable

arp timeout 14400

access-group Outside_In in interface External

route External 0.0.0.0 0.0.0.0 194.xxx.xx.xx 1

route management Servers 255.255.254.0 10.42.64.1 1

route management TRDG 255.255.255.0 10.42.84.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Traveller_RADIUS protocol radius

aaa-server Traveller_RADIUS (Internal) host MT-APP013

timeout 5

key Stnd8674

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

http server enable

http 10.42.71.0 255.255.255.0 management

http TRDG 255.255.255.0 management

http Servers 255.255.254.0 management

http authentication-certificate management

snmp-server location Live Site

snmp-server contact Garreth Fenech

snmp-server community M4lta420

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh Servers 255.255.254.0 management

ssh 10.42.71.0 255.255.255.0 management

ssh TRDG 255.255.255.0 management

ssh timeout 30

ssh version 2

console timeout 0

management-access management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.42.64.14 source management prefer

webvpn

enable External

svc image disk0:/anyconnect-win-3.1.03103-k9.pkg 1

svc profiles AnyConnect_Client disk0:/anyconnect-win-3.1.03103-k9.pkg

svc enable

tunnel-group-list enable

group-policy AnyConnectGrpPolicy internal

group-policy AnyConnectGrpPolicy attributes

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Traveler_Traffic

split-dns value xx.xxx.xxxinternal.com

split-tunnel-all-dns disable

webvpn

  svc compression deflate

  svc profiles none

  svc ask enable default webvpn

username administrator password xxxxx encrypted privilege 15

username garreth password xxxxx encrypted

tunnel-group Traveller type remote-access

tunnel-group Traveller general-attributes

address-pool Traveller_Pool

authentication-server-group Traveller_RADIUS

default-group-policy AnyConnectGrpPolicy

tunnel-group Traveller webvpn-attributes

group-alias traveller enable

group-url https://194.xxx.xx.xx/traveller enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

smtp-server 10.42.64.2

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:4f72d6bf447fd84489ee6ff158c4ad41

: end

Hope this helps. We are using android and Apple IOS clients to connect to this device.

Garreth

Hi Jouni,

Hope you are doing well.

By any chance did you manage to figure out what is wrong in my config?

Garreth

Hi,

Sorry, usually answering in so many threads here that I loose track of all the discussion I am part of

As I said before it would seem that there is connectivity between the VPN Client user and the LAN host but the logs tell us that the VPN Client host sends TCP Reset for the TCP/443 connection therefore closing the connection. This happens 2 seconds into the connection.

So on the basis of that the ASA isnt blocking anything at the moment. It would be good to also try some other services through the VPN Client connection to see if the problem is just with the TCP/443 connection.

I notice you dont have any NAT configurations. Thought this might be a normal setup on an ASA which is only handling VPN connections. You also dont have "nat-control" configured which would look right since IF IT WAS then the ASA would require NAT configurations for all traffic.

Though I usually configure NAT0 just incase. In your case the NAT0 configuration would be

access-list INTERNAL-NAT0 permit ip 10.42.68.0 255.255.255.0 10.42.66.0 255.255.255.0

nat (Internal) 0 access-list INTERNAL-NAT0

Actually, I just now noticed that your ASA interfaces "security-level" are both set to "0". This will cause connections through these interfaces to fail.

You can either change the "Internal" interface to "100" or you can enable the configuration "same-security-traffic permit inter-interface" to enable traffic between 2 interfaces that have the same "security-level" value.

Also if you have the need to use PING/ICMP I would suggest enabling ICMP inspection

fixup protocol icmp

fixup protocol icmp error

Inserting the commands will genera a message from the ASA as the ASA convert the above command to "inspect icmp" and "inspect icmp error" under the "policy-map" configurations.

Hope this helps

- Jouni