Solved: Applying Extended ACL close to Destination

mahesh18 · ‎08-30-2013

Hi Everyone,

Need to share something here.Mostly we use extended ACL close to the source.

Here is this scenario i need to use the extended ACL close to destination to fix the issue.

Here is info

Server 1 connected to interface X ASA1 it has wan connection to ASA2---ASA2 has connection to ASA3.

Now ASA3 is learning source server IP via its Y interface.

In order to reach the destination server ASA3 has to through its interface Z.

Now there was ACL on ASA3 which denies traffic from source server IP to destination IP on interface Y.

I apply the ACL on ASA3 to allow the traffic and it worked.

Dooes someone elase also has seen this behaviour?

Regards

Mahesh

Jouni Forss · ‎08-30-2013

Hi Mahesh,

I am not really sure on the setup here but here is what I gathered.

You have connection between 2 hosts/servers.
There are 3 ASA firewall (physical or virtual) between the 2 hosts
There was a DENY rule on ASA3 interface behind which ASA2, ASA1 and the source host/server is located
You added an PERMIT rule on ASA3 to allow this traffic and it was allowed after that

If that is the case then I am not sure what unexpected happened there.

Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls.

Depending on the environment there could naturally be firewalls that dont have any ACL rules if they were used for some other particular purpose only (like NAT)

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Hi,

The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.

Just as an example I could mention one real life setup that I manage.

The setup contains 4 firewalls always (at minimum)

One is customer firewall/vpn device
One is our vpn device
One is our firewall device
One is our partner firewall device

This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Hi Mahesh,

I am not really sure on the setup here but here is what I gathered.

You have connection between 2 hosts/servers.
There are 3 ASA firewall (physical or virtual) between the 2 hosts
There was a DENY rule on ASA3 interface behind which ASA2, ASA1 and the source host/server is located
You added an PERMIT rule on ASA3 to allow this traffic and it was allowed after that

If that is the case then I am not sure what unexpected happened there.

Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls.

Depending on the environment there could naturally be firewalls that dont have any ACL rules if they were used for some other particular purpose only (like NAT)

- Jouni

mahesh18 · ‎08-30-2013

Hi Jouni,

Learned something new from you----"Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls."

So my understanding is that----

Seems in firewall world depending on traffic flow and if ACL is configured or not to allow the traffic sometimes we need to config ACL close to destination address to fix the issue.

Best regards

Mahesh

Jouni Forss · ‎08-30-2013

Hi,

The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.

Just as an example I could mention one real life setup that I manage.

The setup contains 4 firewalls always (at minimum)

One is customer firewall/vpn device
One is our vpn device
One is our firewall device
One is our partner firewall device

This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)

- Jouni

mahesh18 · ‎08-30-2013

Thanks Jouni for explaining it so clearly.

Best regards

Mahesh