Re: ACL to allow everything with a ASA 5510

oncpicsu2010 · ‎11-26-2010

Hi,

I am trying to configure our ASA 5510. For now we just want to replace our old PIX with the ASA, security will come later.

This is why I just want to allow everything to go through the ASA.

We use two interfaces on the ASA, 0 is the outside interface, where we will connect the cable from our ISP, and 1 is the inside interface, where we will connect our switch. I have enabled intra-interfaces communications.

Our topology is like this: we have a PIX in front, a pool of public IPs that we NAT to servers behind the PIX. I have used the ASDM to configure the NAT, I got this configuration:

object network web1_ext
host 194.206.163.34
object network web2_ext
host 194.206.163.35
object network web3_ext
host 194.206.163.36

object network web1_int
host 192.168.192.34
object network web2_int
host 192.168.192.35
object network web3_int
host 192.168.192.36

object network web1_ext
nat (any,any) static web1_int
object network web2_ext
nat (any,any) static web2_int
object network web3_ext
nat (any,any) static web3_int

object network web1_int
nat (any,any) static web1_ext
object network web2_int
nat (any,any) static web2_ext
object network web3_int
nat (any,any) static web3_ext

Then, I added some access rules via the ASDM, on both interfaces (inside and outside), and on global, with source any, destination any, service ip.

The rules were:

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list global_access extended permit ip any any

And:

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global

I expected this to let all the traffic through the ASA, but it didn't work. I checked the command reference for access-list extended, there is this example:

hostname(config)# access-list ACL_IN extended permit ip any any

The description of the example says: "The following access list allows all hosts (on the interface to which you apply the access list) to go
through the adaptive security appliance"

I'm not a native english speaker, but I understand that this would do what I want. So what is the problem with the two rules above ?

Now, I changed the rules, using the All object-group, with allows any port on TCP-UDP, and added a rule for ICMP, which works for me, but I'd still like to know what is wrong with my rules.

Thanks in advance.

cadet alain · ‎11-26-2010

Hi,

I have enabled intra-interfaces communications

What do you mean by that? By default communication from inside to outside is permitted because you're going from a high security level to a lower one

and furthermore if the os is recent you don't even need to nat to communicate.

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list global_access extended permit ip any any
access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group global_access global

So this is enough for communication if only hosts from inside initiate connections to outside.

access-list outside_access_in extended permit ip any any
access-group outside_access_in in interface outside

Your nat statements are quite weird because when we nat it's from an interface to anotherlike in to out or out to in but never saw any to any and furthermore you must state that web1ext is an object-group and also in your nat you must have the 2 IPs each time which is not the case in what you posted.

Can you console in and enter these commands:

-show run interface

-show run nat

-show access-list

and post the ouput here

Regards.

Don't forget to rate helpful posts.

cadet alain · ‎11-26-2010

Hi,

I must confess I was a little blown away by this 8.3 config style and i meesed up with pre 8.3 but anyway concerning the ACL you can consider what I said right and for your static nat you take a look at the examples given in the nat tutorial for 8.3 here and you will find your luck.

Regards.

Don't forget to rate helpful posts.

oncpicsu2010 · ‎11-26-2010

What do you mean by that? By default communication from inside to outside is permitted because you're going from a high security level to a lower one

and furthermore if the os is recent you don't even need to nat to communicate.

Well, I didn't change the security levels of my interfaces, so I allowed in ASDM the communication between two interfaces of same security levels.

I guess I could change the security level.

So this is enough for communication if only hosts from inside initiate connections to outside.

I don't understand that. Do you mean the rules I posted allow only connections initiated by the inside ?

What I want to do, is allow everything, regardless of which hosts initiated the connection. It would be like there is no firewall, but I'm planning to add restricting rules later.

Regarding my NAT statements, well I used only ASDM to do that. I added my hosts in Network Objects window, and activated the NAT options in the dialog when you add the object.

Here is what you asked.

show run interface

!
interface Ethernet0/0
nameif outside
security-level 0
ip address 194.74.163.33 255.255.255.0
!
interface Ethernet0/1
description Ethernet0/1
nameif inside
security-level 0
ip address 192.74.192.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only

show run nat

!
object network bub1_ext
nat (any,any) static bub1_int
object network bub2_ext
nat (any,any) static bub2_int
object network bub3_ext
nat (any,any) static bub3_int
object network bub4_ext
nat (any,any) static bub4_int
object network internet_ext
nat (any,any) static internet_int
object network locaware_ext
nat (any,any) static locaware_int
object network mail_ext
nat (any,any) static mail_int
object network ns1_ext
nat (any,any) static ns1_int
object network ns2_ext
nat (any,any) static ns2_int
object network thor_ext
nat (any,any) static thor_int
object network web1_ext
nat (any,any) static web1_int
object network web2_ext
nat (any,any) static web2_int
object network web3_ext
nat (any,any) static web3_int
object network bub1_int
nat (any,any) static bub1_ext
object network bub2_int
nat (any,any) static bub2_ext
object network bub3_int
nat (any,any) static bub3_ext
object network bub4_int
nat (any,any) static bub4_ext
object network internet_int
nat (any,any) static internet_ext
object network locaware_int
nat (any,any) static locaware_ext
object network mail_int
nat (any,any) static mail_ext
object network ns1_int
nat (any,any) static ns1_ext
object network ns2_int
nat (any,any) static ns2_ext
object network thor_int
nat (any,any) static thor_ext
object network web1_int
nat (any,any) static web1_ext
object network web2_int
nat (any,any) static web2_ext
object network web3_int
nat (any,any) static web3_ext

show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside_access_in; 1 elements; name hash: 0x433a1af1
access-list inside_access_in line 2 extended permit ip any any log debugging interval 300 (hitcnt=0) 0xa925365e
access-list outside_access_in; 27 elements; name hash: 0x6892a938
access-list outside_access_in line 2 extended permit ip object-group trusted_ips any 0x60b9db6e
access-list outside_access_in line 2 extended permit ip host 82.244.195.239 any (hitcnt=0) 0x6f5801d1
access-list outside_access_in line 4 extended permit tcp any object-group http_servers_ext eq www 0x34e96a48
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.60 eq www (hitcnt=0) 0xc758b984
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.61 eq www (hitcnt=0) 0xc4e12358
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.59 eq www (hitcnt=0) 0x21310377
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.58 eq www (hitcnt=0) 0x27fe81d3
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.34 eq www (hitcnt=0) 0xdc352f9e
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.35 eq www (hitcnt=0) 0xff9a2f82
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.36 eq www (hitcnt=0) 0xc411a7a3
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.40 eq www (hitcnt=0) 0x33d7f4fd
access-list outside_access_in line 4 extended permit tcp any host 194.74.163.41 eq www (hitcnt=0) 0xfc7cb67d
access-list outside_access_in line 6 extended permit tcp any object-group https_servers_ext eq https 0xf55bdd4f
access-list outside_access_in line 6 extended permit tcp any host 194.74.163.58 eq https (hitcnt=0) 0x5396a940
access-list outside_access_in line 6 extended permit tcp any host 194.74.163.41 eq https (hitcnt=0) 0xf1b25ffd
access-list outside_access_in line 6 extended permit tcp any host 194.74.163.35 eq https (hitcnt=0) 0x579e7ef8
access-list outside_access_in line 8 extended permit tcp any object bub2_ext object-group DM_INLINE_TCP_1 0x172ce7b1
access-list outside_access_in line 8 extended permit tcp any host 194.74.163.61 eq 7654 (hitcnt=0) 0xa19f2e71
access-list outside_access_in line 8 extended permit tcp any host 194.74.163.61 eq 8765 (hitcnt=0) 0x92a5ae82
access-list outside_access_in line 8 extended permit tcp any host 194.74.163.61 eq 9876 (hitcnt=0) 0x342a8f87
access-list outside_access_in line 8 extended permit tcp any host 194.74.163.61 eq ssh (hitcnt=0) 0xd4d7173f
access-list outside_access_in line 10 extended permit icmp object-group trusted_ips any 0x50f0b045
access-list outside_access_in line 10 extended permit icmp host 82.244.195.239 any (hitcnt=0) 0xdf59191e
access-list outside_access_in line 12 extended permit object-group TCPUDP any object-group dns_strascom_ext eq domain 0x5f4812cf
access-list outside_access_in line 12 extended permit udp any host 194.74.163.38 eq domain (hitcnt=0) 0xa8fc33eb
access-list outside_access_in line 12 extended permit udp any host 194.74.163.39 eq domain (hitcnt=0) 0x812e3df4
access-list outside_access_in line 12 extended permit tcp any host 194.74.163.38 eq domain (hitcnt=0) 0x357a7dfd
access-list outside_access_in line 12 extended permit tcp any host 194.74.163.39 eq domain (hitcnt=0) 0x567bb051
access-list outside_access_in line 14 extended permit ip object inside_network any 0xdda3ff0c
access-list outside_access_in line 14 extended permit ip 192.168.192.0 255.255.255.0 any (hitcnt=0) 0xdda3ff0c
access-list outside_access_in line 16 extended permit tcp any object-group smtp_servers_ext eq smtp 0x9343c173
access-list outside_access_in line 16 extended permit tcp any host 194.74.163.40 eq smtp (hitcnt=0) 0x879200fb
access-list outside_access_in line 16 extended permit tcp any host 194.74.163.55 eq smtp (hitcnt=0) 0xe81706ee
access-list outside_access_in line 18 extended permit tcp any object-group pop3_servers_ext eq pop3 0x45f22ee7
access-list outside_access_in line 18 extended permit tcp any host 194.74.163.55 eq pop3 (hitcnt=0) 0xe2e30f21
access-list outside_access_in line 19 extended permit ip any any log debugging interval 300 (hitcnt=0) 0x7e78c5c4
access-list global_access; 1 elements; name hash: 0xbd6c87a7
access-list global_access line 1 extended permit ip any any (hitcnt=0) 0x7b3c7918

Ok, while I was saving those config, I tested again using the "ip" service in ASDM, and now it works. I don't really understand why it didn't work in the first place.

Thanks.

oncpicsu2010 · ‎11-26-2010

Sorry for the double post, trouble with the cisco forums...