Kureli Sankar Sun, 08/08/2010 - 04:17
User Badges:
  • Cisco Employee,

Unfortunately that is not possible. http inspection can only inspect port 80 traffic. https is port 443 and the packet will be encrypted. If you know the

address of this website you may be able to allow it via ACL applied on the interface and deny others.


-KS

ericohermoso Sun, 08/08/2010 - 04:45
User Badges:

Hello,


thanks for the reply. I already configured MPF to allow specific http site and apply the rule globally. As you've said I should use ACL to permit the ip address of that https site and deny others. Should I remove the MPF configuration? or I will just add the ACL configuration on the outside interface.



thank you

Kureli Sankar Sun, 08/08/2010 - 04:55
User Badges:
  • Cisco Employee,

You can leave the MPF alone or remove that and allow both http as well as https via the ACL provided you know all the IP addresses of the web site.

Is this outbound flow or inbound flow? The reason I ask is because you mentioned allowing permission on the ACL applied on the outside.


-KS

ericohermoso Sun, 08/08/2010 - 06:00
User Badges:

Hello,


I planned not to remove the MPF and only add https configuration allowing only specific https site. HTTPS site is located outside the firewall, let's say it is located in another country. So the inside user is allowed only to access one https site located outside the firewall or located in other country,example (https://mail.sample.com).


thank you

Kureli Sankar Sun, 08/08/2010 - 06:48
User Badges:
  • Cisco Employee,

That is what I thought. Ok in this case you need to allow http traffic to this specific site via the ACL applied on the inside interface. You may leave the http as MPF.

So your inside ACL will look like this

access-l inside-acl permit tcp any any eq 80

access-l inside-acl permit tcp any host x.x.x.x eq 443

... allow the rest of the traffic that needs to be allowed from inside to out or it will be denied.


-KS

ericohermoso Sun, 08/08/2010 - 06:58
User Badges:

Hello,


I will check this configuration tomorrow.


thank you and best regards

ericohermoso Mon, 08/23/2010 - 05:57
User Badges:

hello i CONFIGURED THE ACCESS LIST and sometimes working and sometimes not working , i wonder, i already remove the MPF and use the ip address but after a few a minute we loose a connection. what suppose is the problem?

Kureli Sankar Mon, 08/23/2010 - 06:28
User Badges:
  • Cisco Employee,

I am not sure what your acl looks like. Are you blocking http and https destined to specific IP addresses? If so in the working

case it may be trying to reach and IP address that is not in the deny acl that you have implemented.


ACL either blocks or allows. It doesn't sometimes allow and sometimes block unless you have time range configured.


-KS

ericohermoso Mon, 08/23/2010 - 06:32
User Badges:

Hello,


My configuratio looks like this..


access-list INS_IN  permit tcp any host 20.133.0.29 eq https
access-list INS_IN  permit tcp any host 213.216.145.178 eq www
access-list INS_IN line 3 extended permit udp any any eq isakmp
access-list INS_IN line 4 extended permit udp any any eq 4500 
access-list INS_IN line 5 extended permit esp any any



access-group INS_IN in interface inside


I just need to access two sites.


It was working after i put the configuration. after a while I loose connections. I am doing it now and I don't know why it goes like this.

Kureli Sankar Mon, 08/23/2010 - 06:59
User Badges:
  • Cisco Employee,

Are these all the lines in your ACL?


I do not see line numbers for the first two.

Did you do a "sh access-l INS_IN" and copy and paste the output? Doesn't look like it.


If this access-list is allowing other http and https sites then you need to look at the logs.


conf t

loggin on

loggin buffered 7


sh logg | i x.x.x.x


where x.x.x.x is the iP address of a host that is being allowed to go to other IP address besides the two that are configured.


-KS

ericohermoso Mon, 08/23/2010 - 07:05
User Badges:

Hello thanks for the prompt reply.


access-list INS_IN extended permit tcp any host 20.133.0.29 eq https
access-list INS_IN extended permit tcp any host 213.216.145.178 eq www

access-group INS_IN in interface inside




Here is the output


sh access-list


access-list INS_IN line 1 extended permit tcp any host 20.133.0.29 eq https (hitcnt=38) 0x016c500a
access-list INS_IN line 2 extended permit tcp any host 213.216.145.178 eq www (hitcnt=18) 0x64318a14


Now it is working fine.


But I am afraid that if I add another access list for allowing vpn form the inside users :

access-list INS_IN line 3 extended permit udp any any eq isakmp
access-list INS_IN line 4 extended permit udp any any eq 4500 
access-list INS_IN line 5 extended permit esp any any


I may loose connections again.

ericohermoso Mon, 08/23/2010 - 07:11
User Badges:

Here is the log:


ASA(config)# sh log | i 192.168.3.3
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/56216 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/56216 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/56216 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/56216 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/53854 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/64177 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.4/53 by access-group "INS_IN" [0x0, 0x0]
%ASA-4-106023: Deny udp src inside:192.168.3.3/62474 dst outside:212.93.192.5/53 by access-group "INS_IN" [0x0, 0x0]


thank you and best regards

Kureli Sankar Mon, 08/23/2010 - 07:14
User Badges:
  • Cisco Employee,

DNS resolution is failing. Pls. allow that.


access-list INS_IN permit udp any any eq 53


-KS

Kureli Sankar Mon, 08/23/2010 - 07:13
User Badges:
  • Cisco Employee,

What version of code are you running on the ASA.


May be you are hitting this defect:

CSCsx75440    ACL - Implicit deny ip any any ACE may not work as expected - resolved in 8.0.4(5)


Symptom:

Implicit deny any any may not work as expected. Traffic that is not permitted via the acl may be permitted even though the access-list may be applied on the higher security interface.

Conditions:

This was first observed in an ASA running 8.0.4(3)

Workaround:

1. Remove the access-group line applied on the interface and re-apply it.

example:
no access-group acl-inside in interface inside
access-group acl-inside in interface inside

or

2. add an explicit deny ip any any line in the bottom of the acl applied on that interface


After you add the lines for vpn add a explicit deny ip any any on the very bottom. That should do it.


-KS


CSCsx75440">

ericohermoso Mon, 08/23/2010 - 07:33
User Badges:

Hello,


Here is the sh ver:


BASA(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)

Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"

BAE-FW-JUB up 4 hours 7 mins

Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0  : address is 5475.d0a3.6a66, irq 9
1: Ext: GigabitEthernet0/1  : address is 5475.d0a3.6a67, irq 9
2: Ext: GigabitEthernet0/2  : address is 5475.d0a3.6a68, irq 9
3: Ext: GigabitEthernet0/3  : address is 5475.d0a3.6a69, irq 9
4: Ext: Management0/0       : address is 5475.d0a3.6a6a, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5
             
Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 150      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : 750      
WebVPN Peers                 : 2        
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Proxy Sessions            : 2       

This platform has an ASA 5520 VPN Plus license.

Serial Number: JMX1421L3KK
Running Activation Key: 0x9c0fec41 0x50d32465 0x58d06d60 0xb074f4c4 0x0c2728a3
Configuration register is 0x1
Configuration last modified by enable_15 at 06:58:30.739 UTC Mon Aug 23 2010


I just see 8.0(4) I can't see any code you are telling.

ericohermoso Mon, 08/23/2010 - 08:45
User Badges:

Hello,


After I entered the dns, it seems it works fine. I did not put any deny statement at the of the end of the access list as mentioned. Hope it will work fine now. I will get the code and study the workaround.


thank you so much, really a big help.

Actions

This Discussion