acl sequence in asa

Answered Question
Dec 29th, 2010

What is the process sequence in an asa with ipsec configuration , for traffic initiated from inside & from outside.

  Remote Host ->  Router -> Internet -> Asa ->Local Host

remote router has crypto acl , Asa has crypto acl and interface acl.

If local host starts traffic via Asa , will it first use the inside interface acl on ASA or crypto acl.

Appreciate if this can be helped with.

Thanks,

I have this problem too.
0 votes
Correct Answer by atbasu about 3 years 3 months ago

HI,

The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

The following image should give you an idea of the exact sequence of operations:

The crypto ACL will be hit immediately before phase 8(Egress Interface).


Regards,

Atri.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (3 ratings)
Correct Answer
atbasu Wed, 12/29/2010 - 07:59

HI,

The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

The following image should give you an idea of the exact sequence of operations:

The crypto ACL will be hit immediately before phase 8(Egress Interface).


Regards,

Atri.

suthomas1 Wed, 12/29/2010 - 08:42

if inside acl is called in first, then a strange problem in this remote setup is the packet gets dropped due to implicit deny on inside interface list . this comes up during tracer. inspite of the acl having a defined line for the traffic that is required.

below is the list on local interface. Line 2 is meant for traffic which is from host 172.16.100.50 to 10.52.151.81 on a tcp port.

asp capture shows this drop also.

access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)

any valuable suggestions for it?

thanks.

Poonguzhali Sankar Wed, 12/29/2010 - 09:30
access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224

10.52.151.81 is not covered in 10.52.0.0 255.255.255.224

http://www.subnet-calculator.com/

-KS
suthomas1 Wed, 12/29/2010 - 18:20

I am sorry . it was written wrongly.

acl is meant for source 172.16.100.50 to destination 10.52.0.18 on a tcp port

access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)

it shows as dropped even if the rule is there. and running logs dont show anything except for capture which says reset.

thanks for your help.

Poonguzhali Sankar Wed, 12/29/2010 - 19:35

need the following output:

1. sh run nst

2. sh route

3. sh run access-g

4. sh access-l

5. packet-tracer input inside tcp 172.16.100.50 1026 10.52.0.18 - replace with the port number that the host 10.52.0.18 listens on.

6. enable debug level logging and post that as well

conf t

logging on

logging buffered 7

exit

sh logg | i 172.16.100.50

-KS

suthomas1 Thu, 12/30/2010 - 22:21

Thanks KS & all, this was resolved.

It was found to be an ip addressing problem with server.

Actions

Login or Register to take actions

This Discussion

Posted December 29, 2010 at 7:08 AM
Stats:
Replies:7 Avg. Rating:4
Views:801 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446