Help with command line access list

Answered Question
Aug 14th, 2012
User Badges:

Hello,


I use the ASDM for lots of work onour ASA, but I want to start using the CLI to add access lists.


I just created a rul onthe ASDM and looked at the syslog server and the command it used was:


access-list outside_access_in line 321 extended permit tcp object-group DM_INLINE_NETWORK_333 host 172.22.1.4 object-group DM_INLINE_TCP_87


On the ASDM all I did was create one rule containing 2 source IP's (192.168.1.10 and 192.168.168.1.20)  to get to 172.22.1.4 on ports 80 and 443, how would write this in CLI for one rule, as the ASA seems to create these straneg DM_INLINE groups?


Thanks

Correct Answer by Jouni Forss about 5 years 3 days ago

Hi,


And to answer your actual question of how to write the rule on the CLI, you can do several ways


Option 1.


access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 80

access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 443

access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 80

access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 443


Option 2.


object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)

network-object host 192.168.1.10

network-object host 192.168.1.20


access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 80

access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 443


Option 3.


- This is basically what the ASDM did but with "ugly" object-group names


object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)

network-object host 192.168.1.10

network-object host 192.168.1.20


object-group service HTTP-HTTPS tcp

port-object eq www

port-object eq https



access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 object-group HTTP-HTTPS



- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Tue, 08/14/2012 - 04:55
User Badges:
  • Super Bronze, 10000 points or more

Hi,


DM_INLINE are object-groups created by the ASDM when you insert more than one IP/network/port into a section in the ASDM configurations


Best way to check what the ASDM does is to do the following


Open ASDM and open the "Tools" in the toolbar and click on "Preferences"




Now check the appropriate box to make it so that ASDM will always preview the CLI format of the configurations to you before sending to the device



Since you checked the inserted command from log I think you probably missed the messages about the ASA creating the object-groups.


Personally I never use ASDM for access rules. I always make the object-groups and ACLs on the CLI side. Same for NAT configurations.


Hope this was helpfull


- Jouni

Correct Answer
Jouni Forss Tue, 08/14/2012 - 05:06
User Badges:
  • Super Bronze, 10000 points or more

Hi,


And to answer your actual question of how to write the rule on the CLI, you can do several ways


Option 1.


access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 80

access-list outside_access_in permit tcp host 192.168.1.10 host 172.22.1.4 eq 443

access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 80

access-list outside_access_in permit tcp host 192.168.1.20 host 172.22.1.4 eq 443


Option 2.


object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)

network-object host 192.168.1.10

network-object host 192.168.1.20


access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 80

access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 eq 443


Option 3.


- This is basically what the ASDM did but with "ugly" object-group names


object-group network HTTP-HTTPS-SOURCE (or any other descriptive name)

network-object host 192.168.1.10

network-object host 192.168.1.20


object-group service HTTP-HTTPS tcp

port-object eq www

port-object eq https



access-list outside_access_in permit tcp object-group HTTP-HTTPS-SOURCE host 172.22.1.4 object-group HTTP-HTTPS



- Jouni

Andrew White Tue, 08/14/2012 - 06:17
User Badges:

Probably the best reply I have ever had to a forum post, thanks very much!


I'm going to start using this.  The only issue I have sometimes is finding access rules in the command line to edit as we have so many, do you have any usefulcommands to use to locate an access list?


Thanks again

Jouni Forss Tue, 08/14/2012 - 06:37
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Can you give some example situation where you are facing problems usually?



Here are some command I use when checking access-lists


  • show run access-group
    • This command lists all the access-lists that are attached to an interface on the firewall
    • Example of output could be: access-group INSIDE-IN in interface inside. Which would tell that an access-list with the name INSIDE-IN is attached on the interface named "inside" in the direction "in". In other words it would check traffic that is arriving towards the interface.
  • show run access-list
    • Shows the access-list in short form. It doesnt show the IP addressses/networks configured under object-groups.
  • show access-list
    • Shows the WHOLE access-list. It shows a ACL line (ACE) as several rows if there ACE contains object-groups
  • show run object-group
    • Shows all object-groups configured on the device
  • show run object-group id
    • Shows the configurations for only the object-group defined in the command
  • show access-list | include x.x.x.x   OR show access-list | include x.x.x.x
    • Shows all access-list lines in certain named access-lists or all access-lists that contain the IP address x.x.x.x


Also if you are familiar with the packet-tracer on the ASDM side, you can use it on the CLI side too. With the command "packet-tracer". The format is as follows


packet-tracer input


When you issue the command the output on the CLI will mention the access-list line that the traffic matches to and this way can help you locate some access-list statement, if you didnt already find it with the above commands.


Those are the things that I think of right now.


- Jouni

Andrew White Thu, 08/16/2012 - 03:42
User Badges:

My apologies for the delay, I didn't get the auto email reply saying someone has replied.


THis is really useful, the only issue I had was how amend a rule on a line, for example I have loads of rules like this:


access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 80

access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 443

access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 139



How would I add?


access-list inside_access_in line 177 extended permit tcp 192.168.20.0 255.255.254.0 10.20.30.0 255.255.255.0 eq 445


as it seemed to add it on a new line 178


Packet tracer is great I use this alot and packet capture, but I didn't know you can bind it to your local Wireshark, I normally export and import in to Wireshark.


Thanks

Jouni Forss Thu, 08/16/2012 - 03:53
User Badges:
  • Super Bronze, 10000 points or more

Hi,


It seems to me that the 3 lines of ACL that you have copy pasted are actually part of a single ACE which contains object-groups


Notice the "line 177" in each of the lines.


Though still if you use the line number 177 with new configuration it should bump the old line 177 configuration to line 178


To start viewing the access-list in question from line 177 you can do this


show access-list inside_access_in | begin line 177


The first output line in the configuration should be the actual configuration that contains object-groups. If theres an object-group for the services/ports opened you might be able to add the line in question just by adding the port to the same group with the other. (80,139,443)


If you need to add some network or remove some network from that line you need to modify the network-objects under the object-groups.


Also heres a small example of the situation I'm talking about above


  • object-group used in ACL


object-group network LAN

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0


  • The actual ACL configuration line  
    • show run access-list TEST


access-list TEST extended permit ip object-group LAN any


  • The same ACL in "opened" form  
    • show access-list TEST


access-list TEST; 3 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

  access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3


  • Remove one network from the object-group and look at the ACL  
    • object-group network LAN
      • no network-object 10.10.10.0 255.255.255.0
    • show access-list TEST


access-list TEST; 2 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

  access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3



- Jouni

Andrew White Thu, 08/16/2012 - 03:55
User Badges:

Also I'm not sure how to search for this, but I used one of your search commands to find a rule that contained IP 192.168.20.90 and it didn't find it.  But on the ASDM I noticed it was in a group, so I guess it woudl be in one of those DM_INLINE groups.


How woudl I search for an IP in a rule if it is hidden in one of those DM_INLIE groups?


Thanks

Jouni Forss Thu, 08/16/2012 - 03:59
User Badges:
  • Super Bronze, 10000 points or more

Hi,


If you use the "show access-list" format of the command it should open up all the object-groups in the ACL.


If you use "show run access-list" format of the command it doesnt show the IP addresses under the object-groups.


Using the access-list I created in the above message as an example:


  • show run access-list TEST


access-list TEST extended permit ip object-group LAN any


  • show access-list TEST


access-list TEST; 3 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit ip object-group LAN any 0xeb9e6e99

  access-list TEST line 1 extended permit ip 10.10.10.0 255.255.255.0 any (hitcnt=0) 0x365de33c

  access-list TEST line 1 extended permit ip 10.10.20.0 255.255.255.0 any (hitcnt=0) 0xc98d1b29

  access-list TEST line 1 extended permit ip 10.10.30.0 255.255.255.0 any (hitcnt=0) 0x2a9982d3



- Jouni

Actions

This Discussion