ASA internally generated traffic & Outbound ACL?

andrew.butterworth · ‎05-28-2009

I hit an issue recently which I sort of understand but would like some clarification as to the behaviour.

I have an ASA that has just two interfaces - inside security-100 & outside security-0 (the reality is slightly different but this is easier to explain). The ASA needs to sync with an NTP server available on the outside interface, it also needs to resolve names using DNS to a couple of servers again reachable via the outside interface. Finally it needs to reach a webserver for PKI Certificate enrollment and Revocation checking.

With the simplest of configurations of an inbound permit ip any any on the inside interface this doesn't work. Internal clients connecting from the inside to outside are fine, however the traffic generated by the ASA doesn't pass. My understanding here is there is no state created to allow the traffic to flow out of the outside interface. I got around this by adding an outbound ACL on the outside interface to permit the specific router generated traffic, however this had its own issues as the inside-to-outside client traffic stopped, which meant that additional ACL entries had to be added to allow the traffic from the inside to flow out of the outside.

Does this sound correct? The reality is the inbound ACL on the Inside interface is very strict, allowing only specific hosts & protocols. At the moment the outbound ACL on the outside interface is almost a mirror of the inbound ACL on the inside interface and I don't believe it should be as the inbound ACL on the inside interface should be creating the state?

There isn't too much detail on CCO regarding outbound ACLs on the ASA and their behaviour so I was hoping someone could enlighten me?

Hopefully that makes sense (to someone...)?

Cheers, Andy

Kureli Sankar · ‎05-28-2009

Andy,

You mentioned that the ASA needs to sync up time with an external time source.

This is TO and FROM the box traffic that has nothing to do with acls applied on the interface. That is only for THROUGH the box traffic.

Now, when you add outbound acl on the egress interface is is just redundant when it is the exact replica of the acl applied on the inside.

HIGH security to LOW security flow is automatically allowed in the ASA/PIX platform without any acl applied IN on the high security interface.

Now, I am not following exactly what needs to happen before the ASA can do time sync. ASA need to talk to a bunch of servers on the outside via dns, http and ntp before it can time sync.

You probably have to collect captures on the ASA to see what is happening. Without that it is very hard to say.

Are you saying that you got this to work by adding permission on the acl applied OUT on the outside interface?

andrew.butterworth · ‎05-29-2009

Hi,

Without the outbound ACL being applied to the outside interface the router was unable to reach any of the services it needed to reach via the outside interface (NTP, DNS or HTTP). I think this is why I was confused, unfortunatley I don't have access to the ASA at the moment so this is all from memory.

What I can remember is attempting to enroll for certificates from the external webserver and this required DNS to lookup the name, NTP to be synchronised so it could enroll and HTTP access to the webserver it was enrolling to. None of this worked initially, are you saying that without any configuration (except interface IP addressed and routes) this should have worked?

Andy

andrew.butterworth · ‎06-06-2009

Typo on the first line there, sorry...

it should have read:

Without the outbound ACL being applied to the outside interface the ASA was unable to reach any of the services...

I would still appreciate any help as to why I was seeing this behaviour.

Andy

Kureli Sankar · ‎06-06-2009

Andre,

dns domain-lookup outisde

dns name-server y.y.y.y

domain abc.com

Is to enable domain lookup

ssh 0 0 inside

Is to enable ssh to the box from the inside

http server enable

http 0 0 outside

Is to enable http to the outside

ntp server 192.168.1.1

Is to add an ntp server for the ASA to sync. up

telnet 0 0 mgmt

Now, none of the above require ACLs applied on the interfaces to function. These are to and from the box traffic that is just allowed by the config lines above. One may call it as permission as well.

Now, the only thing that I am not sure is when you say the ASA needs to talk to the webserver regarding PKI enrollment and revocation.

I am not sure about that.

1. Do you remember what you saw in the logs when you did not have the outbound acl on the outside interface?

2. Need to collect captures on the outside interface. Without any captures from the time of the problem it is hard to say what port would have been blocked.

3. Do you have the config. from the ASA that I can look at?

andrew.butterworth · ‎06-06-2009

It is obvious I need to take another look at this as it appears this should have worked without any ACLs applied outbound on the Outside interface. I am aware of all the commands you have listed - slightly confused why I would ever want to enable HTTP & SSH access to the ASA from the outside?

Anyway if I get chance to look at this again then I'll remove the outbound ACLs and re-test. This was for a customer so it is possible they have done this themselves now anyway.

Andy

Kureli Sankar · ‎06-06-2009

Those were just examples to point out that to the box traffic does not require any acls applied on the interface. You don't have to allow any access to the box via the outside if you choose not to.