cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1149
Views
0
Helpful
3
Replies

Please critique my ACL

kmacdonald
Level 1
Level 1

I just setup a new Cisco ASA 5510 with the help of the wonderful support staff at Cisco.  My setup is as basic as they come:  on a t1 going to my firewall then my layer 2 switches to my lan.  I need to allow traffic for my exchange server, RRAS server, and web server.  I created the nats to translate these.

NAT policies on Interface inside:
  match ip inside 192.168.200.0 255.255.255.0 outside RemoteNetwork 255.255.255.0
    NAT exempt
    translate_hits = 1209, untranslate_hits = 6248
  match ip inside 192.168.200.0 255.255.255.0 inside RemoteNetwork 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 192.168.200.0 255.255.255.0 management RemoteNetwork 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match tcp inside host MAIL_Private eq 443 outside any
    static translation to MAIL_Public/443
    translate_hits = 120, untranslate_hits = 1827
  match ip inside host MAIL_Private inside any
    static translation to MAIL_Public
    translate_hits = 0, untranslate_hits = 1015
  match tcp inside host RRAS_Private eq 1723 outside any
    static translation to WAN-Primary-IP/1723
    translate_hits = 30, untranslate_hits = 67
  match tcp inside host httpserver_Private eq 80 outside any
    static translation to WAN-Primary-IP/80
    translate_hits = 0, untranslate_hits = 587
  match tcp inside host SpamFilter_Private eq 143 outside any
    static translation to WAN-Primary-IP/143
    translate_hits = 0, untranslate_hits = 0
  match tcp inside host SpamFilter_Private eq 110 outside any
    static translation to WAN-Primary-IP/110
    translate_hits = 0, untranslate_hits = 3
  match tcp inside host SpamFilter_Private eq 25 outside any
    static translation to WAN-Primary-IP/25
    translate_hits = 5, untranslate_hits = 5100
  match tcp inside host httpserver_Private eq 443 outside any
    static translation to WAN-Primary-IP/443
    translate_hits = 0, untranslate_hits = 418
  match tcp inside host httpserver_Private eq 80 inside any
    static translation to WAN-Primary-IP/80
    translate_hits = 0, untranslate_hits = 23
  match ip inside any outside any
    dynamic translation to pool 1 (WAN-Primary-IP [Interface PAT])
    translate_hits = 180726, untranslate_hits = 42116
  match ip inside any inside any
    dynamic translation to pool 1 (192.168.200.1 [Interface PAT])
    translate_hits = 1038, untranslate_hits = 0
  match ip inside any management any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

ANd here is my ACL

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_access_in; 20 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host WAN-Primary-IP eq www (hitcnt=553) 0x9dfebd17
access-list outside_access_in line 2 extended permit tcp any interface outside eq smtp (hitcnt=5118) 0x5a49ed8a
access-list outside_access_in line 3 extended permit tcp any interface outside eq https (hitcnt=418) 0xb78265a9
access-list outside_access_in line 4 remark Access Rule for Secure OWA Traffic
access-list outside_access_in line 5 extended permit tcp any host MAIL_Public eq https (hitcnt=1835) 0x79f06165
access-list outside_access_in line 6 remark Access Rule for Web Services
access-list outside_access_in line 7 extended permit object-group WebServices any host WAN-Primary-IP 0x57fe304f
  access-list outside_access_in line 7 extended permit tcp any host WAN-Primary-IP eq www (hitcnt=0) 0x9dfebd17
  access-list outside_access_in line 7 extended permit tcp any host WAN-Primary-IP eq https (hitcnt=0) 0xf3e68dd6
access-list outside_access_in line 8 remark Access Rule for VPN Policy
access-list outside_access_in line 9 extended permit tcp any host WAN-Primary-IP eq pptp (hitcnt=37) 0x4be9554b
access-list outside_access_in line 10 remark Access Rule for Web Services
access-list outside_access_in line 11 extended permit object-group WebServices any host httpserver_Private 0x95acdb0d
  access-list outside_access_in line 11 extended permit tcp any host httpserver_Private eq www (hitcnt=0) 0xc5946cc6
  access-list outside_access_in line 11 extended permit tcp any host httpserver_Private eq https (hitcnt=0) 0xb6914ade
access-list outside_access_in line 12 remark Access Rule for IronMail
access-list outside_access_in line 13 extended permit tcp any host WAN-Primary-IP object-group DM_INLINE_TCP_1 0x6a3244c0
  access-list outside_access_in line 13 extended permit tcp any host WAN-Primary-IP eq imap4 (hitcnt=0) 0x45d98534
  access-list outside_access_in line 13 extended permit tcp any host WAN-Primary-IP eq pop3 (hitcnt=3) 0xb54cad3c
  access-list outside_access_in line 13 extended permit tcp any host WAN-Primary-IP eq smtp (hitcnt=0) 0x82c286b8
access-list outside_access_in line 14 remark Access Rule for CipherTrust Support
access-list outside_access_in line 15 extended permit object-group TCPUDP any host WAN-Primary-IP object-group CipherTrustSupport 0xdff67b61
  access-list outside_access_in line 15 extended permit udp any host WAN-Primary-IP eq 20022 (hitcnt=0) 0x49568567
  access-list outside_access_in line 15 extended permit tcp any host WAN-Primary-IP eq 20022 (hitcnt=0) 0x99de8535
access-list outside_access_in line 16 remark Access Rule for FTP Traffic
access-list outside_access_in line 17 extended permit tcp any host WAN-Primary-IP object-group DM_INLINE_TCP_2 0xaa5d210e
  access-list outside_access_in line 17 extended permit tcp any host WAN-Primary-IP eq ftp (hitcnt=0) 0x203e0eee
  access-list outside_access_in line 17 extended permit tcp any host WAN-Primary-IP eq ftp-data (hitcnt=0) 0x6e43f2a3
access-list outside_access_in line 18 remark Cisco VPN Rule for Cooper Flash Program
access-list outside_access_in line 19 extended permit udp any host WAN-Primary-IP object-group CiscoVPN 0x5a210ce0
  access-list outside_access_in line 19 extended permit udp any host WAN-Primary-IP eq 10000 (hitcnt=0) 0x5d02a44a
access-list outside_access_in line 20 extended permit object-group BarracudeBaseServices any host WAN-Primary-IP 0xe5b21188
  access-list outside_access_in line 20 extended permit tcp any host WAN-Primary-IP eq smtp (hitcnt=0) 0x82c286b8
  access-list outside_access_in line 20 extended permit tcp any host WAN-Primary-IP eq ssh (hitcnt=0) 0x0cb1a159
  access-list outside_access_in line 20 extended permit udp any host WAN-Primary-IP eq ntp (hitcnt=0) 0xf0853c7e
access-list global_mpc; 4 elements; name hash: 0x2e734f01
access-list global_mpc line 1 extended permit tcp any any object-group DM_INLINE_TCP_3 0x63f48172
  access-list global_mpc line 1 extended permit tcp any any eq ftp (hitcnt=0) 0x8d2792b1
  access-list global_mpc line 1 extended permit tcp any any eq www (hitcnt=40172) 0xb0b125e5
  access-list global_mpc line 1 extended permit tcp any any eq pop3 (hitcnt=3) 0x45b34ca5
  access-list global_mpc line 1 extended permit tcp any any eq smtp (hitcnt=5741) 0x2ce3f047
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip 192.168.200.0 255.255.255.0 RemoteSite 255.255.255.0 (hitcnt=0) 0x58145f0e
access-list outside_cryptomap_1; 1 elements; name hash: 0x759febfa
access-list outside_cryptomap_1 line 1 extended permit ip 192.168.200.0 255.255.255.0 RemoteSite 255.255.255.0 (hitcnt=31) 0x866ba78c
access-list site-to-site-acl; 1 elements; name hash: 0xe35f4c1b
access-list site-to-site-acl line 1 extended permit ip 192.168.200.0 255.255.255.0 RemoteSite 255.255.255.0 (hitcnt=0) 0x8684e5ae

The thing that confuses me, is in the ACL, line 1, 2 and 3 seem to be taking up the slack for the acl I have setup at line 5 and 7 (these show 0 hits).  Wrapping my head around this is really confusing me though.  Whats the point of having ACL line 5 and 7 if ACL 1-3 take care of everything.


Is this a sound way to do this?  Is it the best practice?

Thank you for reading!

1 Accepted Solution

Accepted Solutions

Panos Kampanakis
Cisco Employee
Cisco Employee

It is normal behavior. If lines 1,2,3 include ip addresses that are also matched in line 4,5,6 the latter will not be hit.

The ACLs are checked in the order they are configured and if a line is matched the packets are not checked against any other following ACL lines.

You want to have lines that are more explicit on top of others that are less explicit so they are matched first and if not then the following lines will be matched.

I hope it helps.

PK

View solution in original post

3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

It is normal behavior. If lines 1,2,3 include ip addresses that are also matched in line 4,5,6 the latter will not be hit.

The ACLs are checked in the order they are configured and if a line is matched the packets are not checked against any other following ACL lines.

You want to have lines that are more explicit on top of others that are less explicit so they are matched first and if not then the following lines will be matched.

I hope it helps.

PK

This helps greatly!  I was just trying to not be redundant with my ACL's.  You woudln't see anything you would change?

Thank you!

The look good.

I am not sure what your policies are in general but they look ok.

Like I said, you want more explicit rules to be on top of more general one.

Rgs,

PK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: