access list rule not working

Dragomir · ‎07-22-2013

I have an extended access-list rule that is #1 in poistion on the external access list

access-list acl-outside line 1 extended permit tcp host x.x.x.x host a.b.c.d eq 5723

access-list acl-outside line 2 extended permit tcp host x.x.x.y host a.b.c.e eq 5723

but when i telnet from x.x.x.x to a.b.c.d to 5723

it does not listen or respond.

internally i verified that the ports is listening on the host.

The ip of the internal ip is natted to the external ip a.b.c.d

any idea?

Jouni Forss · ‎07-22-2013

Hi,

Well the first thing to do would be to use the "packet-tracer" to check what it says would happen to such a connections

packet-tracer input outside tcp x.x.x.x 12345 a.b.c.d 5723

This should tell us if all the configurations are ok. For example that we are matching the correct NAT configuration and ACL rule.

If everything seems fine (share the output) then you should probably test the connection from the external network and monitor the syslogs and check that you see the Building and Teardown messages of the TCP connection. Furthermore look at what the termination reason of the connection is in the Teardown message.

There could be several reasons the connections isnt coming up even though the firewall configurations are ok

No default route on the host
Other routing problem from the host back to the external network
Software firewall blocking the connection attempt
Some other device in between blocking the connection attempt
Service not enabled on the host
etc

One "last" option is ofcourse to take a traffic capture on the ASA and confirm if the traffic is heading to the host and if anything is coming back while the TCP connection is being formed.

- Jouni

Dragomir · ‎07-22-2013

packet-tracer input outside tcp x.x.x.x 12345 a.b.c.d 5723

12345 is the source port of the source ip? I dont know what the source port will be

Jouni Forss · ‎07-22-2013

Hi,

You dont really need to know the source port. The source port is irrelevant. As you see you have not defined any specific source port in the ACL so any source port is allowed. The port 12345 is just an example source port as the connection/packet simulated needs to have one.

- Jouni

Dragomir · ‎07-22-2013

I ran the packet tracer and came up with this result

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Jouni Forss · ‎07-22-2013

Hi,

It would be good to see the full output of the command.

But if that is all that can be seen then it would seem to point out that the ASA configurations are fine and the problems and the problem is somewhere else.

The next thing would be to look at the ASA logs while attempting the connection. ASDM would probably be the easiest way if you have not set up a Syslog server to which the ASA sends the logs.

- Jouni

Julio Carvajal · ‎07-22-2013

So you are running a version lowe than 8.3 right?

Remember that after 8.3 you now poing to the private ip addresses of the devices.

To be sure this is not a FW issue

capture capout interface outside match tcp host x.x.x.x host a.b.c.d_public eq 5723

capture capin interface inside match tcp host x.x.x.x host a.b.c.d_Private eq 5723

Then try to connect once and share

show cap capout

show cap capin

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dragomir · ‎07-22-2013

capture capout interface outside match tcp host x.x.x.x host a.b.c.d_public eq 5723

when i do this it says incomplete command

Hostname or A.B.C.D Destination IP address

any Abbreviation for destination address and mask of 0.0.0.0

0.0.0.0

host Use this keyword to configure destination host

Dragomir · ‎07-22-2013

i did both captures and there are no packets captured

show capture capout

0 packet captured

0 packet shown

show capture capin

0 packet captured

0 packet shown

Jouni Forss · ‎07-22-2013

Hi,

Either the capture was configured with incorrect IP addresses or there was simply no traffic from the public/external network that ever reached the ASA.

- Jouni

Dragomir · ‎07-22-2013

i initiated the traffic from x.x.x.x with a telnet public_ip 5723

but there was no response.

I am able to ping the ip from x.x.x.x

Julio Carvajal · ‎07-22-2013

If you generate the traffic and you do not see anything on the capture then as Jounni said traffic is not getting to the ASA, it´s being block somewhere else....

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dragomir · ‎07-22-2013

how do I find out the telnet connection from the source to the destination from the logs?

Julio Carvajal · ‎07-22-2013

Do

show logging | include x.x.x.x (Source IP address)

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎07-22-2013

Hi,

I would probably start by logging into the ASDM management and go to the Monitoring sections and open logging. Then you could attempt the connections and see if any connection attempts are getting denied.

Since you already configured a packet capture and we got no hits, that would mean that either the capture was configured with the wrong IP addresses or simply no traffic reached your ASA.

Since you say that ICMP works it would seem more likely to me that the traffic might be coming from a different source IP address than the one configured in the ACL rules perhaps?

- Jouni