07-23-2008 05:40 AM - edited 03-11-2019 06:18 AM
I am configuring my first ASA and have not been able to figure out to to limit access to a few subnets and sites on the internet.
I would like to only allow access to two internal nets
10.10.23.128 255.255.255.128
10.10.26.0 255.255.255.128
a single would station in another group
10.10.28.12 255.255.255.128
and then two location on the web
198.187.196.0 255.255.255.0
198.136.211.12 255.255.255.0
Any help would be greatly appriciated.
Mike
Tarleton State University
Solved! Go to Solution.
07-23-2008 09:49 AM
inside_access_in is not created. It should have errored when you typed in. Do not copy paste the whole, do it line by line and try to see errors.
Post your running config and let me see if object groups are created
07-23-2008 06:18 AM
Hello Mike,
If I understood you correct, you want to permit traffic from the specified private hosts and networks to the public IPs on web right? Then the config is
object-group network Allowed_Int
network-object 10.10.23.128 255.255.255.128
network-object 10.10.26.0 255.255.255.128
object-group network Allowed_Out
198.187.196.0 255.255.255.0
198.136.211.12 255.255.255.0
access-list inside_access_in permit ip object-group Allowed_In object-group Allowed_Out
access-group inside_access_in in interface inside
Regards
07-23-2008 09:06 AM
it errored out when I tried to input
access-list inside_access_in permit ip object-group Allowed_In object-group Allowed_Out
access-group inside_access_in in interface inside
access-group inside it stated itaccess-list
Mike
07-23-2008 09:18 AM
you have typed inside_access-in it should be inside_access_in
07-23-2008 09:28 AM
access-group inside_access_in in interface inside
ERROR: access-list
Yes sorry typo but this is what I put in and this is the error.
Mike
07-23-2008 09:31 AM
that means access-lists are created with wrong name. Issue show access-list and check the name spelling
07-23-2008 09:37 AM
ITSCR3AS01# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 2 elements
access-list outside_access_in line 1 extended permit ip any object-group DM_INLINE_NETWORK_1 0xb8002543
access-list outside_access_in line 1 extended permit ip any host 198.187.196.0 (hitcnt=0) 0xcd817934
access-list outside_access_in line 1 extended permit ip any host 255.255.255.0 (hitcnt=0) 0x0ff50e83
ITSCR3AS01#
this is what I have
Mike
07-23-2008 09:49 AM
inside_access_in is not created. It should have errored when you typed in. Do not copy paste the whole, do it line by line and try to see errors.
Post your running config and let me see if object groups are created
07-23-2008 10:02 AM
here is config. I am confused, ha.
domain-name xxxxxx
enable password xxx
passwd xxx
names
!
interface Vlan2
description ASA outside interface
nameif outside
security-level 0
ip address xxx.xxx.120.115 255.255.255.128
!
interface Vlan70
description Inside network for Touchnet
nameif inside
security-level 100
ip address 10.xxx.180.1 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 70
!
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name tarleton.edu
object-group network Allowed_Int
network-object xxx.xxx.23.128 255.255.255.128
network-object xxx.xxx.26.0 255.255.255.128
object-group network Allowed_Out
network-object 198.187.196.0 255.255.255.0
network-object 198.136.211.12 255.255.255.255
object-group network DM_INLINE_NETWORK_1
network-object host 198.187.196.0
network-object host 255.255.255.0
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging host outside xxx.xxx.23.140
logging permit-hostdown
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit xxx.xxx.21.0 255.255.255.128 outside
icmp permit 10.xx.180.0 255.255.255.128 inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.xxx.180.0 255.255.255.128
access-group outside_access_in in interface outside
router eigrp 165
no auto-summary
eigrp stub connected
route outside 0.0.0.0 0.0.0.0 xxx.xxx.120.125 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http xxx.xxx.21.0 255.255.255.128 outside
http 10.xxx.180.0 255.255.255.0 inside
snmp-server host outside 165.95.23.140 community TSUroCN
snmp-server communit
snmp-server enable traps snmp authentication coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start
telnet xxx.xxx.21.0 255.255.255.128 outside
telnet timeout 5
ssh xxx.xxx.21.0 255.255.255.128 outside
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.23.137 165.95.23.137
dhcpd wins xxx.xxx.23.133 165.95.23.133
dhcpd ping_timeout 60
dhcpd domain xxxx
dhcpd auto_config outside
dhcpd update dns
!
dhcpd address 10.xxx.180.2-10.xxx.180.100 inside
dhcpd dns xxx.xxx.23.137 xxx.xxx.23.133 interface inside
dhcpd wins xxx.xxx.23.137xxx.xxx.23.133 interface inside
dhcpd ping_timeout 30 interface inside
dhcpd domain xxxxxx interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
ntp server xxx.xxx.1.1 source outside prefer
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
ITSCR3AS01#
I want my private network to access only computers on
xxx.xxx.23.0/25
xxx.xxx.26.0/25
and only these web sites
198.187.196.0/24
198.136.211.12
everything else is denied.
Thanks for your help
Mike
07-23-2008 10:21 AM
Ok, two commands. You should be in hostname(config)# mode
access-list inside_access_in permit ip object-group Allowed_Int object-group Allowed_Out
After the above command issued without errors, issue the following
access-group inside_access_in in interface inside
Another issue is, you have xxx.xxx.23.0/25
xxx.xxx.26.0/25 networks, but your firewall does not have an interface in these networks. Are these networks connected to a L3 device which is connected to inside interface? Assuming yes, you need a route back to that device like following in ASA
route inside xxx.xxx.23.0 255.255.255.128 10.xxx.180.xx
route inside xxx.xxx.26.0 255.255.255.128 10.xxx.180.xx
07-23-2008 11:23 AM
Access to the outside is not working vorrectly. 198.187.xxx.xxx and 198.136.211.12
I keep getting can't desplay the page.
xxx.xx.23 and xxx.xxx.26 are networks on the outside coonnected on the outside interface. The asa and these network are on the same L3 device.
07-23-2008 12:00 PM
Your initail query states " would like to only allow access to two internal nets
10.10.23.128 255.255.255.128
10.10.26.0 255.255.255.128 " and now you say "xxx.xx.23 and xxx.xxx.26 are networks on the outside coonnected on the outside interface"
Please describe your network in details
07-23-2008 12:08 PM
I am sorry about the confusing.
my inside network on ASA is 10.xx.180.0
and ouside network on ASA is xxx.xx.120.0
xxx.xxx.23.0 and xxx.xxx.26.0 are networks ouside of the ASA by coonect to same l3 device as ASA outside interface.
I have computers on the inside of the ASA to talk to these two networks because they house DNS and other important assets.
Mike
07-23-2008 05:23 PM
Mike,
"xxx.xxx.23.0 and xxx.xxx.26.0 are networks ouside of the ASA... these two networks because they house DNS and other important assets"
I can give you some pretty weird configurations like outside nat and outside acls that will make your system work, but this will totaly make your firewall a huge "nothing". The ACL that will make things work will open your outside interface totally open to spoofing attack since traffic should be permit from a private IP range which should not be done. An outside NAT with the global again outside, intra-interface permit... just forget about that. Lets make a best practise design.
The place for these networks is not! your outside interface. They also has to be protected since they hold DNS and some important servers and accessed by both inside and outside. You should create a DMZ for these. Remove the switchport statement from one of the ethernet ports, make it DMZ and connect that networks to this port. For further advise, I need to know what L3 device is all networks and outside interface are connected to. Where does the ISP connection come from (device) and where does these networks come from (device)? Is inside also connected to same segment?
07-24-2008 10:17 AM
I took the information you gave me and set up my ACLs I got it working, very simplified ACLS but it will do for what we want it to do.
Thanks so much.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: