Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
4
Replies

Help in understanding ACL on ASA5520

Go to solution
JohnTylerPearce
Level 7
Level 7

‎11-16-2011 05:50 AM - edited ‎03-11-2019 02:51 PM

access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_9 any
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_19 NonRoutableDMZ 255.255.255.0


object-group network DM_INLINE_NETWORK_9
network-object 192.168.5.0 255.255.255.0
network-object 74.254.111.16 255.255.255.240

object-group network DM_INLINE_NETWORK_19
group-object Saturn_net
group-object Pluto-all-networks

name 192.168.5.0 NonRoutableDMZ

object-group network Saturn_net
network-object 192.168.20.0 255.255.255.0
network-object 192.168.55.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0

object-group network Pluto-all-networks
description Pluto networks
network-object 20.110.208.0 255.255.255.0
network-object 20.110.209.0 255.255.255.0
network-object 20.110.210.0 255.255.255.0
network-object 20.110.211.0 255.255.255.0
network-object 20.110.212.0 255.255.255.0
network-object 20.110.213.0 255.255.255.0
network-object 20.110.214.0 255.255.255.0
network-object 20.110.215.0 255.255.255.0
network-object 20.110.216.0 255.255.255.0
network-object 20.110.217.0 255.255.255.0
network-object vpn_net 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object host isf_net
network-object 192.168.50.0 255.255.255.0

access-group dmzdot5_access_in in interface dmzdot5

It seems as if the dmzdot5_access_in interface is applied in the inbound direction on interface dmzdot5.

The dmzdot5 network only has 192.168.5.0/24 on it, with 192.168.5.1 as the default gateway, which is the

interface ip of dmzdot5. According to the follow it appears as if all these networks would be in the source ip

field in the IP header

access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_9 any
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_19 NonRoutableDMZ 255.255.255.0

Would having all these addresses in the source even do anything? I would think it should be

from 192.168.5.0 255.255.255.0 to a,b,c,d,e,f (or whatever networks) and not a,b,c,d,e,f(or whatever networks) to 192.168.5.0 255.255.255.0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10
In response to JohnTylerPearce

‎11-16-2011 07:12 AM

Absolutely, the direction of the traffic is coming into the dmzdot5 interface. Moreover the two access-list don't make sense, on the above acl you have destination any whihc means the second acl would never be hit.

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
4 Replies 4

Go to solution
varrao
Level 10
Level 10

‎11-16-2011 06:19 AM

Hi John,

Whenever you define object-group in the ACL, then int means if the source ip is any ip defined in the subnets in the object-group, even if any single ip from the defined networks fall under the ACL , it would be allowed.

Let me know if you have any questions.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to varrao

‎11-16-2011 06:52 AM

access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_9 any
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_19 NonRoutableDMZ 255.255.255.0

I understand object groups, just having trouble understand this line. From my understand, it's saying

any ip/network under DM_INLINE_NETWORK_9 is allowed to any destination. And any ip/network

under DM_INLINE_NETWORK_19 to NonROutableDMZ 255.255.255.0 is allowed.

This acccess list is applied in the inbound direction on the dmzdot5 interface. I'm assuming that inbound on

the dmzdot5 interface means if you're on a computer with ip in the dmzdot5 range, the packets coming to

the dmzdot5 interface is in the inbound direction?

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to JohnTylerPearce

‎11-16-2011 07:12 AM

Absolutely, the direction of the traffic is coming into the dmzdot5 interface. Moreover the two access-list don't make sense, on the above acl you have destination any whihc means the second acl would never be hit.

Hope that helps

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to varrao

‎11-16-2011 07:44 AM

Yeah, the second ACL makes no sense at all. It's basically sayin if all these networks are the source ip.... Would would

never be considering the network range for hosts on that networ kare 192.186.5.0/24....

I got another quick question. Let's say in theory if I am on a network with a higher security-level than dmzdot5,

and the traffic is initiated to, let's say a server, I could put a deny any any on the inbound direction on dmzdot5

and traffic would still get through, since traffic was not sourced from any computer inside the 192.168.5.0 but

was sourced from any interface with a higher security level?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card