Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA access-list confusion with multiple internal networks.

I am trying to apply an access list to a internal subnet that is different from the inside address of the ASA.

 

The ASA Inside network is a 192.168.1.x network. The network that I am trying to apply an access list too is 10.6.150.x

Here is my example config

ASA Version 8.2(1)
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 155.155.155.18 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
 


object-group network blocked-hosts
 network-object host 8.8.8.8
 
access-list outside_acl extended deny ip object-group blocked-hosts any
access-list inside_acl extended deny ip any object-group blocked-hosts
 


global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
 


access-group outside_acl in interface outside
access-group inside_acl in interface inside
 

route outside 0.0.0.0 0.0.0.0 155.155.155.17 1
route inside 10.6.150.0 255.255.255.0 192.168.1.1 1
 

If I ping host 8.8.8.8 from a 192.168.1.x address the ping is blocked.

If I ping host 8.8.8.8 from a 10.6.150.x the ping is allowed.

 

Thank you in advance.

  • Firewalling
Everyone's tags (1)
4 REPLIES
Hall of Fame Super Silver

Based on the partial

Based on the partial configuration you've provided, it should be blocked from any host whose path out of the local LANs is trying to go out via the ASA inside interface.

Have you confirmed the traffic from 10.6.150.x is indeed passing through the ASA?

Can you check:

packet-tracer input inside icmp 10.6.150.1 0 0 8.8.8.8

New Member

The ASA is the only route out

The ASA is the only route out of the environment.

I wonder if is a NAT issue. Packet tracers shows a block, but a tracert and ping still work on the client.

 

cdxasa(config)# packet-tracer input inside icmp 10.6.150.1 0 0 8.8.8.8

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit icmp any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (155.155.155.18 [Interface PAT])
    translate_hits = 20238713, untranslate_hits = 1724138
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 


tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  10.6.150.1
  2    82 ms    79 ms    83 ms  wsip-155-155-155-17.oc.oc.net [155.155.155.17]
  3   135 ms   133 ms   138 ms  wsip-155-155-132-249.oc.oc..net [155.155.132.249]

  4   116 ms   175 ms    31 ms  155.4.15.250
  5   194 ms   148 ms   152 ms  ip155-4-11-10.oc.oc.net [155.4.11.10]
  6   215 ms   212 ms   199 ms  dllsbbrj02-ge020.rd.dl.oc.net [155.1.0.149]
  7   202 ms    26 ms    50 ms  langbbrj01-ge050000804.r2.la.oc.net [155.105.30.
181]
  8     3 ms     3 ms     4 ms  216.239.46.40
  9   239 ms   251 ms   239 ms  72.14.238.2
 10    74 ms    40 ms    41 ms  72.14.239.159
 11    50 ms    44 ms    68 ms  64.233.174.129
 12     *        *        *     Request timed out.
 13    36 ms    55 ms    35 ms  google-public-dns-a.google.com [8.8.8.8]

Trace complete.

 

Hall of Fame Super Silver

Your traceroute output

Your traceroute output indicates the traffic is hitting 10.6.150.1 and then on to 155.155.155.17 as hop #2.

I don't see the ASA in that path.

Also, what's that access-list entry "access-list inside_acl extended permit icmp any any" reported by packet-tracer?

New Member

10.6.150.1 is a vlan IP for

10.6.150.1 is a vlan IP for the switch that handles internal routing. It is handing all external traffic off to the ASA. 155.155.155.17 is the gateway on the other side of the ASA. I am not sure why the tracert is ommiting the inside addres of the ASA but there is no other way to get out.
The access-list inside_acl extended permit icmp any any is a entry in the ACL on line 2.
The blocked host entry is Line 1.

Doing further testing on this to answer your question I determined that my original question is a bit of a red herring.

My initial problem was trying to resolve a issue with a policy map. Troubleshooting that problem I found that the Access list for the policy was never getting hit. So I reasoned that it was a ACL issue. As a test I set a ping 8.8.8.8 -t on a client in the affected subnet. Then I added 8.8.8.8 to a blocked host rule. When the ping traffic continued I reasoned it was a subnet/ACL issue I described.

Silly me. Because the connection was established prior to adding the deny rule it was not interrupted. Once I stopped the persistent ping, and restarted it, the traffic was properly blocked.

I am left with my original issue, and none the wiser to the source of my problem.

I am trying to set a rate limit on vlan03. The rate limit for colo works as expected. The vlan03 access list is never hit, so I am assuming that is why the policy is not kicking in.

access-list rate_limit_colo_acl extended permit ip host 99.99.99.13 any
access-list rate_limit_colo_acl extended permit ip any host 99.99.99.13
access-list rate_limit_vlan03_acl extended permit ip 10.6.150.0 255.255.255.0 any
access-list rate_limit_vlan03_acl extended permit ip any 10.6.150.0 255.255.255.0
!
class-map rate_limit_colo_map
 match access-list rate_limit_colo_acl
class-map rate_vlan03_map
 match access-list rate_limit_vlan03_acl
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map policy_rate_limit_map
 class rate_limit_colo_map
  police output 1000000 5000
  police input 1000000 5000
 class rate_vlan03_map
  police output 10000 3000
  police input 10000 3000
!
service-policy global_policy global
service-policy policy_rate_limit_map interface outside

150
Views
0
Helpful
4
Replies