Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Applying Extended ACL close to Destination

                   Hi Everyone,

Need to share something here.Mostly we use extended ACL close to the source.

Here is this scenario i need to use the extended ACL  close to destination to fix the issue.

Here is info

Server 1  connected to interface X  ASA1  it has wan connection to ASA2---ASA2 has connection to ASA3.

Now  ASA3 is learning source server IP via its Y interface.

In order to reach the destination server ASA3  has to through its interface Z.

Now there was ACL  on ASA3 which denies traffic from source server IP  to destination IP on interface Y.

I apply the ACL  on ASA3 to allow the traffic and it worked.

Dooes someone elase also has seen this behaviour?

Regards

Mahesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Applying Extended ACL close to Destination

Hi Mahesh,

I am not really sure on the setup here but here is what I gathered.

  • You have connection between 2 hosts/servers.
  • There are 3 ASA firewall (physical or virtual) between the 2 hosts
  • There was a DENY rule on ASA3 interface behind which ASA2, ASA1 and the source host/server is located
  • You added an PERMIT rule on ASA3 to allow this traffic and it was allowed after that

If that is the case then I am not sure what unexpected happened there.

Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls.

Depending on the environment there could naturally be firewalls that dont have any ACL rules if they were used for some other particular purpose only (like NAT)

- Jouni

Super Bronze

Re: Applying Extended ACL close to Destination

Hi,

The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.

Just as an example I could mention one real life setup that I manage.

The setup contains 4 firewalls always (at minimum)

  • One is customer firewall/vpn device
  • One is our vpn device
  • One is our firewall device
  • One is our partner firewall device

This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)

- Jouni

4 REPLIES
Super Bronze

Applying Extended ACL close to Destination

Hi Mahesh,

I am not really sure on the setup here but here is what I gathered.

  • You have connection between 2 hosts/servers.
  • There are 3 ASA firewall (physical or virtual) between the 2 hosts
  • There was a DENY rule on ASA3 interface behind which ASA2, ASA1 and the source host/server is located
  • You added an PERMIT rule on ASA3 to allow this traffic and it was allowed after that

If that is the case then I am not sure what unexpected happened there.

Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls.

Depending on the environment there could naturally be firewalls that dont have any ACL rules if they were used for some other particular purpose only (like NAT)

- Jouni

Community Member

Applying Extended ACL close to Destination

Hi Jouni,

Learned something new from you----"Every ASA on the way from the source host to the destination host has to have a rule to allow this traffic to pass it since they are different firewalls."

So my understanding  is that----

Seems in firewall world depending on traffic flow and if ACL is configured or not to allow the traffic  sometimes we need to config ACL close to destination address to fix the issue.

Best regards

Mahesh

Super Bronze

Re: Applying Extended ACL close to Destination

Hi,

The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.

Just as an example I could mention one real life setup that I manage.

The setup contains 4 firewalls always (at minimum)

  • One is customer firewall/vpn device
  • One is our vpn device
  • One is our firewall device
  • One is our partner firewall device

This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)

- Jouni

Community Member

Re: Applying Extended ACL close to Destination

Thanks Jouni for explaining it so clearly.

Best regards

Mahesh

219
Views
0
Helpful
4
Replies
CreatePlease to create content