Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

acl sequence in asa

What is the process sequence in an asa with ipsec configuration , for traffic initiated from inside & from outside.

  Remote Host ->  Router -> Internet -> Asa ->Local Host

remote router has crypto acl , Asa has crypto acl and interface acl.

If local host starts traffic via Asa , will it first use the inside interface acl on ASA or crypto acl.

Appreciate if this can be helped with.

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: acl sequence in asa

HI,

The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

The following image should give you an idea of the exact sequence of operations:

The crypto ACL will be hit immediately before phase 8(Egress Interface).


Regards,

Atri.

7 REPLIES
Cisco Employee

Re: acl sequence in asa

Inside interface acl, nat 0 acl on the ASA and then the cypto acl on the ASA.

-KS

Cisco Employee

Re: acl sequence in asa

HI,

The inside acl will always be the first ACL to be hit. To confirm you can use the packet-tracer command, this will tell you exactly which process comes into effect and when:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

The following image should give you an idea of the exact sequence of operations:

The crypto ACL will be hit immediately before phase 8(Egress Interface).


Regards,

Atri.

New Member

Re: acl sequence in asa

if inside acl is called in first, then a strange problem in this remote setup is the packet gets dropped due to implicit deny on inside interface list . this comes up during tracer. inspite of the acl having a defined line for the traffic that is required.

below is the list on local interface. Line 2 is meant for traffic which is from host 172.16.100.50 to 10.52.151.81 on a tcp port.

asp capture shows this drop also.

access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)

any valuable suggestions for it?

thanks.

Cisco Employee

Re: acl sequence in asa

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224

10.52.151.81 is not covered in 10.52.0.0 255.255.255.224

http://www.subnet-calculator.com/

-KS
New Member

Re: acl sequence in asa

I am sorry . it was written wrongly.

acl is meant for source 172.16.100.50 to destination 10.52.0.18 on a tcp port

access-list local-access line 1 extended permit ip 192.168.100.0 255.255.255.240 any (hitcnt=0)

access-list local-access line 2 extended permit ip host 172.16.100.50 10.52.0.0 255.255.255.224 (hitcnt=0)

it shows as dropped even if the rule is there. and running logs dont show anything except for capture which says reset.

thanks for your help.

Cisco Employee

Re: acl sequence in asa

need the following output:

1. sh run nst

2. sh route

3. sh run access-g

4. sh access-l

5. packet-tracer input inside tcp 172.16.100.50 1026 10.52.0.18 - replace with the port number that the host 10.52.0.18 listens on.

6. enable debug level logging and post that as well

conf t

logging on

logging buffered 7

exit

sh logg | i 172.16.100.50

-KS

New Member

Re: acl sequence in asa

Thanks KS & all, this was resolved.

It was found to be an ip addressing problem with server.

900
Views
8
Helpful
7
Replies