Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14423
Views
0
Helpful
11
Replies

Inactive Access List Blocking Traffic on Cisco ASA

Go to solution
tabiv
Level 1
Level 1

‎10-25-2010 01:54 PM - edited ‎03-11-2019 12:00 PM

Hi All.

I have a Cisco ASA 5510 running Version 8.3(2) on which I've been having a problem getting a DMZ server to commiunicate back into the Internal network. While trying different ACL's and NAT's to get this to work I've come across something strange (or at least I wasn't expecting) in the Logs.

I have ACL that I have disabled which is still blocking traffic.

4    Oct 25 2010    13:22:30        192.168.55.5    50218    192.168.7.14    80    Deny tcp src DMZ:192.168.55.5/50218 dst LAN:192.168.7.14/80 by access-group "LAN_access_out" [0x0, 0x0]

Below are my ACL's:

access-list LAN_access_out extended permit ip 192.168.7.0 255.255.255.0 any inactive
access-list WAN_cryptomap extended permit ip object-group TBNETs object-group colo
access-list DMZ_access_in extended permit ip object stage_dmz any
access-list LAN_access_in extended permit ip object stage_dmz object TBLAN
access-list LAN_access_in extended permit ip 192.168.7.0 255.255.255.0 any

The blocked traffic is from the DMZ back into the Internal Network.

I've been away from managing Firewalls for a number of a years now and I'm fairly rusty, so I may just be missing something really simple. But it seams to me, no matter how messed up I may have done my ACLs, I shouldn't have an inactive ACL blocking traffic.

Anyone know what the deal with this is? or am i just crazy?

Thanks!

Ted

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
August Ritchie
Level 1
Level 1
In response to tabiv

‎10-25-2010 03:24 PM

I would try adding a different access-list line to that configuration just temporarily so that you can edit it in ASDM. Of course if you don't want the access-list altogether, just take off that access-group or delete that line and you won't see any effects.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎10-25-2010 02:01 PM

Hello,

Would you please paste the configuration of the access group.

Mike.

Mike
0 Helpful

Go to solution
tabiv
Level 1
Level 1
In response to Maykol Rojas

‎10-25-2010 02:07 PM

Hi Mike. What took you so long? I had to wait almost 30 seconds for a response.

Here's the Access Groups:

access-group WAN_access in interface WAN
access-group LAN_access_in in interface LAN
access-group LAN_access_out out interface LAN
access-group DMZ_access_in in interface DMZ

Ted

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to tabiv

‎10-25-2010 02:21 PM

Hello

I was looking closely Jesus Mary and Joseph, you are right, the ACL is inactive. Is that the return traffic? Or traffic initiated from the DMZ?

Let me know.

Mike

Mike
0 Helpful

Go to solution
tabiv
Level 1
Level 1
In response to Maykol Rojas

‎10-25-2010 02:47 PM

I am pretty sure it's denying it from the DMZ before it reaches the internal server. I just checked on the internal server I was trying to connect to make sure, there is no connection getting there at all. So it should be the traffic from the DMZ.

I'm makin an assumption that rule affects outbound traffic on that  interface in either direction. please correct me if I am wrong.

wierd, eh? I'm stumped.

Ted

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to tabiv

‎10-25-2010 03:00 PM

Hey Ted

Exactly, the deny IP any any is taking precedense, just having the access group in makes the firewall to drop all of the connections going outbound. There is no need to run the packet tracer, the log is very clear, is the access group that is dropping it. The implicit deny that the access list has will drop everything going outbound on the inside interface.

Cheers

Mike
0 Helpful

Go to solution
tabiv
Level 1
Level 1
In response to Maykol Rojas

‎10-25-2010 03:15 PM

So should I just remove the LAN_access_out Access Group?

You 2 are responding with great answers faster than I can check things.

Ted

0 Helpful

Go to solution
August Ritchie
Level 1
Level 1

‎10-25-2010 02:39 PM

My thought is that even though the access-list is inactive, just having the access-list with an item in it is causing the implicit deny statement that every access-list has at the end to still be enabled.

So as long as the access-group for the access-list is in the configuration this behavior will continue until you explicitly permit the traffic.

You can do the following packet-tracer to see if the deny reason is access-list - implicit deny.

packet-tracer input DMZ tcp 192.168.55.5 1024 192.168.7.14 80

0 Helpful

Go to solution
tabiv
Level 1
Level 1
In response to August Ritchie

‎10-25-2010 03:13 PM

Below are the results:

Result of the command: "packet-tracer input DMZ tcp 192.168.55.5 1024 192.168.7.14 80"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.7.0     255.255.255.0   LAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit ip object stage_dmz any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Yes, it's the Implicit Rule blocking it. So, would I need to remove the LAN_access_out Access Group all together then? Since I cannot add anything to Access Group, at least via the ASDM GUI (it would get added to the LAN_access_in Group). I really wasn't expecting that behavior. I figured if it was disabled it was disabled. wow.

Thanks,

Ted

0 Helpful

Go to solution
August Ritchie
Level 1
Level 1
In response to tabiv

‎10-25-2010 03:24 PM

I would try adding a different access-list line to that configuration just temporarily so that you can edit it in ASDM. Of course if you don't want the access-list altogether, just take off that access-group or delete that line and you won't see any effects.

0 Helpful

Go to solution
tabiv
Level 1
Level 1

‎10-25-2010 03:53 PM

You guys are awesome! Thank you Mike and August!

That's exactly what the problem was. Access Group still had the Deny at then end, even though I disable the Access List in it. You can bet that's something I'll NEVER forget now.

I added the below rule to the LAN_access_out Rule and it works now:

     access-list LAN_access_out extended permit ip any any

I'm think I am going to leave it as permit ANY out, because I'll be locking it down for the LAN_access_in ACL anyway.

Since this is the first time I have posted here, I am not sure how the accepting answers goes (or if it matters). I am going to try accept the answers from both of you.

Thank you!

Ted

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to tabiv

‎10-25-2010 04:13 PM

Please do, and we will be more than glad to help you further anytime

Cheers

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card