cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1974
Views
8
Helpful
7
Replies

acl sequence in asa

suthomas1
Level 6
Level 6

What is the process sequence in an asa with ipsec configuration , for traffic initiated from inside & from outside.

  Remote Host ->  Router -> Internet -> Asa ->Local Host

remote router has crypto acl , Asa has crypto acl and interface acl.

If local host starts traffic via Asa , will it first use the inside interface acl on ASA or crypto acl.

Appreciate if this can be helped with.

Thanks,

1 Accepted Solution

Accepted Solutions

Atri Basu
Cisco Employee
Cisco Employee

HI,

The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

The following image should give you an idea of the exact sequence of operations:

The crypto ACL will be hit immediately before phase 8(Egress Interface).


Regards,

Atri.

View solution in original post

7 Replies 7

Kureli Sankar
Cisco Employee
Cisco Employee

Inside interface acl, nat 0 acl on the ASA and then the cypto acl on the ASA.

-KS

Atri Basu
Cisco Employee
Cisco Employee

HI,

The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

The following image should give you an idea of the exact sequence of operations:

The crypto ACL will be hit immediately before phase 8(Egress Interface).


Regards,

Atri.

if inside acl is called in first, then a strange problem in this remote setup is the packet gets dropped due to implicit deny on inside interface list . this comes up during tracer. inspite of the acl having a defined line for the traffic that is required.

below is the list on local interface. Line 2 is meant for traffic which is from host 172.16.100.50 to 10.52.151.81 on a tcp port.

asp capture shows this drop also.

access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)

any valuable suggestions for it?

thanks.

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224

10.52.151.81 is not covered in 10.52.0.0 255.255.255.224

http://www.subnet-calculator.com/

-KS

I am sorry . it was written wrongly.

acl is meant for source 172.16.100.50 to destination 10.52.0.18 on a tcp port

access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)

it shows as dropped even if the rule is there. and running logs dont show anything except for capture which says reset.

thanks for your help.

need the following output:

1. sh run nst

2. sh route

3. sh run access-g

4. sh access-l

5. packet-tracer input inside tcp 172.16.100.50 1026 10.52.0.18 - replace with the port number that the host 10.52.0.18 listens on.

6. enable debug level logging and post that as well

conf t

logging on

logging buffered 7

exit

sh logg | i 172.16.100.50

-KS

Thanks KS & all, this was resolved.

It was found to be an ip addressing problem with server.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: