ASA 5505 ACL help

Answered Question
Jul 23rd, 2008

I am configuring my first ASA and have not been able to figure out to to limit access to a few subnets and sites on the internet.

I would like to only allow access to two internal nets

10.10.23.128 255.255.255.128

10.10.26.0 255.255.255.128

a single would station in another group

10.10.28.12 255.255.255.128

and then two location on the web

198.187.196.0 255.255.255.0

198.136.211.12 255.255.255.0

Any help would be greatly appriciated.

Mike

Tarleton State University

I have this problem too.
0 votes
Correct Answer by husycisco about 8 years 4 months ago

inside_access_in is not created. It should have errored when you typed in. Do not copy paste the whole, do it line by line and try to see errors.

Post your running config and let me see if object groups are created

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
husycisco Wed, 07/23/2008 - 06:18

Hello Mike,

If I understood you correct, you want to permit traffic from the specified private hosts and networks to the public IPs on web right? Then the config is

object-group network Allowed_Int

network-object 10.10.23.128 255.255.255.128

network-object 10.10.26.0 255.255.255.128

object-group network Allowed_Out

198.187.196.0 255.255.255.0

198.136.211.12 255.255.255.0

access-list inside_access_in permit ip object-group Allowed_In object-group Allowed_Out

access-group inside_access_in in interface inside

Regards

michael.m.williams Wed, 07/23/2008 - 09:06

it errored out when I tried to input

access-list inside_access_in permit ip object-group Allowed_In object-group Allowed_Out

access-group inside_access_in in interface inside

access-group inside it stated itaccess-list

Mike

husycisco Wed, 07/23/2008 - 09:18

you have typed inside_access-in it should be inside_access_in

michael.m.williams Wed, 07/23/2008 - 09:28

access-group inside_access_in in interface inside

ERROR: access-list does not exist

Yes sorry typo but this is what I put in and this is the error.

Mike

husycisco Wed, 07/23/2008 - 09:31

that means access-lists are created with wrong name. Issue show access-list and check the name spelling

michael.m.williams Wed, 07/23/2008 - 09:37

ITSCR3AS01# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_access_in; 2 elements

access-list outside_access_in line 1 extended permit ip any object-group DM_INLINE_NETWORK_1 0xb8002543

access-list outside_access_in line 1 extended permit ip any host 198.187.196.0 (hitcnt=0) 0xcd817934

access-list outside_access_in line 1 extended permit ip any host 255.255.255.0 (hitcnt=0) 0x0ff50e83

ITSCR3AS01#

this is what I have

Mike

Correct Answer
husycisco Wed, 07/23/2008 - 09:49

inside_access_in is not created. It should have errored when you typed in. Do not copy paste the whole, do it line by line and try to see errors.

Post your running config and let me see if object groups are created

michael.m.williams Wed, 07/23/2008 - 10:02

here is config. I am confused, ha.

domain-name xxxxxx

enable password xxx

passwd xxx

names

!

interface Vlan2

description ASA outside interface

nameif outside

security-level 0

ip address xxx.xxx.120.115 255.255.255.128

!

interface Vlan70

description Inside network for Touchnet

nameif inside

security-level 100

ip address 10.xxx.180.1 255.255.255.128

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 70

!

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name tarleton.edu

object-group network Allowed_Int

network-object xxx.xxx.23.128 255.255.255.128

network-object xxx.xxx.26.0 255.255.255.128

object-group network Allowed_Out

network-object 198.187.196.0 255.255.255.0

network-object 198.136.211.12 255.255.255.255

object-group network DM_INLINE_NETWORK_1

network-object host 198.187.196.0

network-object host 255.255.255.0

access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1

pager lines 24

logging enable

logging timestamp

logging asdm informational

logging host outside xxx.xxx.23.140

logging permit-hostdown

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit xxx.xxx.21.0 255.255.255.128 outside

icmp permit 10.xx.180.0 255.255.255.128 inside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 10.xxx.180.0 255.255.255.128

access-group outside_access_in in interface outside

router eigrp 165

no auto-summary

eigrp stub connected

route outside 0.0.0.0 0.0.0.0 xxx.xxx.120.125 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http xxx.xxx.21.0 255.255.255.128 outside

http 10.xxx.180.0 255.255.255.0 inside

snmp-server host outside 165.95.23.140 community TSUroCN

snmp-server communit

snmp-server enable traps snmp authentication coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start

telnet xxx.xxx.21.0 255.255.255.128 outside

telnet timeout 5

ssh xxx.xxx.21.0 255.255.255.128 outside

ssh timeout 5

console timeout 0

dhcpd dns xxx.xxx.23.137 165.95.23.137

dhcpd wins xxx.xxx.23.133 165.95.23.133

dhcpd ping_timeout 60

dhcpd domain xxxx

dhcpd auto_config outside

dhcpd update dns

!

dhcpd address 10.xxx.180.2-10.xxx.180.100 inside

dhcpd dns xxx.xxx.23.137 xxx.xxx.23.133 interface inside

dhcpd wins xxx.xxx.23.137xxx.xxx.23.133 interface inside

dhcpd ping_timeout 30 interface inside

dhcpd domain xxxxxx interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

ntp server xxx.xxx.1.1 source outside prefer

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ITSCR3AS01#

I want my private network to access only computers on

xxx.xxx.23.0/25

xxx.xxx.26.0/25

and only these web sites

198.187.196.0/24

198.136.211.12

everything else is denied.

Thanks for your help

Mike

husycisco Wed, 07/23/2008 - 10:21

Ok, two commands. You should be in hostname(config)# mode

access-list inside_access_in permit ip object-group Allowed_Int object-group Allowed_Out

After the above command issued without errors, issue the following

access-group inside_access_in in interface inside

Another issue is, you have xxx.xxx.23.0/25

xxx.xxx.26.0/25 networks, but your firewall does not have an interface in these networks. Are these networks connected to a L3 device which is connected to inside interface? Assuming yes, you need a route back to that device like following in ASA

route inside xxx.xxx.23.0 255.255.255.128 10.xxx.180.xx

route inside xxx.xxx.26.0 255.255.255.128 10.xxx.180.xx

michael.m.williams Wed, 07/23/2008 - 11:23

Access to the outside is not working vorrectly. 198.187.xxx.xxx and 198.136.211.12

I keep getting can't desplay the page.

xxx.xx.23 and xxx.xxx.26 are networks on the outside coonnected on the outside interface. The asa and these network are on the same L3 device.

husycisco Wed, 07/23/2008 - 12:00

Your initail query states " would like to only allow access to two internal nets

10.10.23.128 255.255.255.128

10.10.26.0 255.255.255.128 " and now you say "xxx.xx.23 and xxx.xxx.26 are networks on the outside coonnected on the outside interface"

Please describe your network in details

michael.m.williams Wed, 07/23/2008 - 12:08

I am sorry about the confusing.

my inside network on ASA is 10.xx.180.0

and ouside network on ASA is xxx.xx.120.0

xxx.xxx.23.0 and xxx.xxx.26.0 are networks ouside of the ASA by coonect to same l3 device as ASA outside interface.

I have computers on the inside of the ASA to talk to these two networks because they house DNS and other important assets.

Mike

husycisco Wed, 07/23/2008 - 17:23

Mike,

"xxx.xxx.23.0 and xxx.xxx.26.0 are networks ouside of the ASA... these two networks because they house DNS and other important assets"

I can give you some pretty weird configurations like outside nat and outside acls that will make your system work, but this will totaly make your firewall a huge "nothing". The ACL that will make things work will open your outside interface totally open to spoofing attack since traffic should be permit from a private IP range which should not be done. An outside NAT with the global again outside, intra-interface permit... just forget about that. Lets make a best practise design.

The place for these networks is not! your outside interface. They also has to be protected since they hold DNS and some important servers and accessed by both inside and outside. You should create a DMZ for these. Remove the switchport statement from one of the ethernet ports, make it DMZ and connect that networks to this port. For further advise, I need to know what L3 device is all networks and outside interface are connected to. Where does the ISP connection come from (device) and where does these networks come from (device)? Is inside also connected to same segment?

michael.m.williams Thu, 07/24/2008 - 10:17

I took the information you gave me and set up my ACLs I got it working, very simplified ACLS but it will do for what we want it to do.

Thanks so much.

Mike

Actions

This Discussion