Solved: acl sequence in asa

suthomas1 · ‎12-29-2010

What is the process sequence in an asa with ipsec configuration , for traffic initiated from inside & from outside.

Remote Host -> Router -> Internet -> Asa ->Local Host

remote router has crypto acl , Asa has crypto acl and interface acl.

If local host starts traffic via Asa , will it first use the inside interface acl on ASA or crypto acl.

Appreciate if this can be helped with.

Thanks,

Atri Basu · ‎12-29-2010

HI,

The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

The following image should give you an idea of the exact sequence of operations:

The crypto ACL will be hit immediately before phase 8(Egress Interface).

Regards,

Atri.

View solution in original post

Kureli Sankar · ‎12-29-2010

Inside interface acl, nat 0 acl on the ASA and then the cypto acl on the ASA.

-KS

Atri Basu · ‎12-29-2010

HI,

The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

The following image should give you an idea of the exact sequence of operations:

The crypto ACL will be hit immediately before phase 8(Egress Interface).

Regards,

Atri.

suthomas1 · ‎12-29-2010

if inside acl is called in first, then a strange problem in this remote setup is the packet gets dropped due to implicit deny on inside interface list . this comes up during tracer. inspite of the acl having a defined line for the traffic that is required.

below is the list on local interface. Line 2 is meant for traffic which is from host 172.16.100.50 to 10.52.151.81 on a tcp port.

asp capture shows this drop also.

access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)

any valuable suggestions for it?

thanks.

Kureli Sankar · ‎12-29-2010

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224

10.52.151.81 is not covered in 10.52.0.0 255.255.255.224

http://www.subnet-calculator.com/

-KS

suthomas1 · ‎12-29-2010

I am sorry . it was written wrongly.

acl is meant for source 172.16.100.50 to destination 10.52.0.18 on a tcp port

access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)

it shows as dropped even if the rule is there. and running logs dont show anything except for capture which says reset.

thanks for your help.

Kureli Sankar · ‎12-29-2010

need the following output:

1. sh run nst

2. sh route

3. sh run access-g

4. sh access-l

5. packet-tracer input inside tcp 172.16.100.50 1026 10.52.0.18 - replace with the port number that the host 10.52.0.18 listens on.

6. enable debug level logging and post that as well

conf t

logging on

logging buffered 7

exit

sh logg | i 172.16.100.50

-KS

suthomas1 · ‎12-30-2010

Thanks KS & all, this was resolved.

It was found to be an ip addressing problem with server.