Need help with asa5510 access-list's

Answered Question
Jun 3rd, 2008
User Badges:

When I add an access list to allow a service group access through the firewall all traffic is blocked config posted below.


: Saved

: Written by enable_15 at 08:48:32.873 EST Tue Jun 3 2008

!

ASA Version 7.0(7)

!

hostname ciscoasa

domain-name my.asa.org

enable password xxxxxxx encrypted

names

no dns-guard

!

interface Ethernet0/0

nameif WAN

security-level 0

ip address 24.xxx.xxx.133 255.255.255.224

!

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 10.100.100.1 255.255.255.0

!

interface Ethernet0/2

nameif LAN

security-level 100

ip address 192.168.100.232 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxx encrypted

ftp mode passive

clock timezone EST -5

object-group service internet tcp

port-object eq www

port-object eq domain

port-object eq https

port-object eq ftp

access-list LAN_access_in extended permit tcp 192.168.0.0 255.255.0.0 any object-group internet

pager lines 24

logging asdm informational

mtu management 1500

mtu LAN 1500

mtu DMZ 1500

mtu WAN 1500

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (WAN) 10 interface

nat (LAN) 10 10.10.0.0 255.255.0.0

nat (LAN) 10 192.168.0.0 255.255.0.0

access-group LAN_access_in in interface LAN

route LAN 192.168.0.0 255.255.0.0 192.168.100.1 1

route LAN 10.10.0.0 255.255.0.0 192.168.100.1 1

route WAN 0.0.0.0 0.0.0.0 24.xxx.xxx.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.0.0 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.1.0 255.255.255.0 management

telnet 192.168.0.0 255.255.0.0 LAN

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end


Correct Answer by husycisco about 8 years 10 months ago

Hi Dennis,

"all traffic is blocked config posted below"

By default, traffic from a higher security level interface to lower security interface is permitted. You wont have to define any specific ACLs. Any ACLs defined to the higher security interface (LAN interface for your issue) makes filtering rather than secuirng.

In your issue, the LAN_access_in ACL permits the specified traffic and denies the rest by implicit deny. I see a NAT statement for 10.10.0.0 255.255.0.0 network, and a permit doesnt take place for that.


Now if the issue is "all internet traffic is blocked" or "cant access internet", the issue is you permit domain port (53) for a tcp object group. You also have to permit UDP port 53 for resolving names correctly.


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Fernando_Meza Tue, 06/03/2008 - 15:50
User Badges:
  • Gold, 750 points or more

Hi,


Make sure you are testing from the range 192.168.0.0 255.255.0.0. because this is the only range allowed by the ACL. Appart from that I can't see anything wrong on the configuration.

Correct Answer
husycisco Tue, 06/03/2008 - 17:00
User Badges:
  • Gold, 750 points or more

Hi Dennis,

"all traffic is blocked config posted below"

By default, traffic from a higher security level interface to lower security interface is permitted. You wont have to define any specific ACLs. Any ACLs defined to the higher security interface (LAN interface for your issue) makes filtering rather than secuirng.

In your issue, the LAN_access_in ACL permits the specified traffic and denies the rest by implicit deny. I see a NAT statement for 10.10.0.0 255.255.0.0 network, and a permit doesnt take place for that.


Now if the issue is "all internet traffic is blocked" or "cant access internet", the issue is you permit domain port (53) for a tcp object group. You also have to permit UDP port 53 for resolving names correctly.


Regards

paulwhite1977 Thu, 06/05/2008 - 08:35
User Badges:

Its worth checking the scurity levels and the logs.


If the log reveals 'no translation group found for' it may be that like in the old pix you require a static translation in order to pass from the low level of security to the high.


You can in later revisions of PIX remove this with the no nat-control command

dcholl1 Thu, 06/05/2008 - 11:02
User Badges:

I would like to Thank everyone who replied to this message. I'am afraid the answer was very simple I did not add the udp domain port in my access list therfor I could not pull dns info. I am sorry not to have caught this myself but I am thankful for all the help.


Dennis

husycisco Thu, 06/05/2008 - 16:10
User Badges:
  • Gold, 750 points or more

Dennis,

Glad your issue is resolved. Would you please rate my previous post which suggested you to permit UDP 53 for internet connectivity?


Regards

Actions

This Discussion