Solved: Re: Why I am able to connect when I have a access-list applied?

John Peterson · ‎04-12-2012

I have a site to site between two ASA one of the site Internet range is 16.0 and one is 12.0.

Both tunnels are up and there are able to communcaite.

The problem I have is a host on the 16.0 network is able to connect on port 25 i.e. smtp, to 192.168.12.247 but my access list which is applied on the inside interface in the input direction should block the packet.

access-list access_inside extended permit tcp 192.168.12.0 255.255.255.0 host 192.168.12.254 eq smtp

access-list access_inside extended permit tcp 192.168.12.0 255.255.255.0 host 192.168.12.256 eq smtp

access-list access_inside extended permit tcp host 192.168.12.254 any eq smtp

access-list access_inside extended permit tcp host 192.168.12.258 any eq smtp

access-list access_inside extended deny tcp any any eq smtp

access-list access_inside extended permit ip any any

access-group access_inside in interface inside

Any thoughts would be appreciated.

Thanks

Jouni Forss · ‎04-12-2012

Hi,

I'll write below a simple example using your networks and blocking STMP connections from site

Site 1

Network: 192.168.12.0/24
Lan interface nameif = inside
Lan interface access-list = INSIDE-IN

Site 2

Network: 192.168.16.0/24
Lan interface nameif = inside
Lan interface access-list = INSIDE-IN

Other information

All traffic allowed from Site1 to Site2
SMTP traffic from Site2 to Site1 network denied
All other SMTP traffic from Site2 allowed

The configuration would be the following

Site1

access-list INSIDE-IN remark Allow all traffic from Site1 to Site2

access-list INSIDE-IN permit ip 192.168.12.0 255.255.255.0 192.168.16.0 255.255.255.0

access-group INSIDE-IN in interface inside

Site2

access-list INSIDE-IN remark Deny all SMTP traffic from Site2 to Site1

access-list INSIDE-IN deny tcp 192.168.16.0 255.255.255.0 192.168.12.0 255.255.255.0 eq smtp

access-list INSIDE-IN remark Allow all other SMTP traffic from Site2

access-list INSIDE-IN permit tcp 192.168.16.0 255.255.255.0 any eq smtp

access-group INSIDE-IN in interface inside

So as the above configuration shows, the situation is very simple.

Site1 can initiate any connection to Site2
Site2 SMTP connections towards Site1 are blocked
All other SMTP connections from Site2 is allowed

As both sites access-list are attached to inside interfaces in the direction "in" they are ONLY APPLIED to traffic thats beeing initiated from a network behind the INSIDE interface TOWARDS the INSIDE interface. The access-list have absolutely nothing to do with the traffic arriving through the VPN to the local LAN network.

If the direction of the applied access-list would be in the direction of "out" it would mean that the access-list was watching traffic thats headed towards the local LAN. In other words the traffic was headed out of the interface INSIDE.

- Jouni

View solution in original post

Jouni Forss · ‎04-12-2012

Hi,

Did I understand this right?

You have 2 sites with ASA firewalls
Their LAN networks are: 192.168.12.0/24 and 192.168.16.0/24?
You want to block SMTP traffic from 192.168.16.0/24 to 192.168.12.0/24?

If this correct I dont understand your access-lists

In the above access-list makes it seem you are blocking the traffic on the wrong sites ASA?

Shouldnt the 192.168.16.0/24 sites ASA have an access-list looking something like this? (just some example lines)

access-list access_inside remark Deny SMTP traffic to the Remote Site

access-list access_inside extended deny tcp 192.168.16.0 255.255.255.0 host 192.168.12.0 255.255.255.0 eq smtp

access-list access_inside remark Permit all other SMTP traffic (Public Servers)

access-list access_inside extended permit tcp any any eq smtp

Also if I have missunderstood somehow there is also one setting that might affect the situation.

The ASA has a global setting that will make it so that OUTSIDE access-lists wont be applied to VPN traffic. In other words all traffic coming from a remote site wont care what you have on your OUTSIDE interface access-list

The command format in ASA 8.4 software is

sysopt connection permit-vpn

This will let the traffic pass the outside interface access-list rules) (It wont show on your running configuration as its the default setting

To make VPNs use the OUTSIDE interface access-lists it would mean you have to issue the command:

no sysopt connection permit-vpn

- Jouni

John Peterson · ‎04-12-2012

Hi Jouni,

Sorry I should have explained better and my access-list were incorrect.

Did I understand this right?

You have 2 sites with ASA firewalls - Yes
Their LAN networks are: 192.168.12.0/24 and 192.168.16.0/24? - Yes
You want to block SMTP traffic from 192.168.16.0/24 to 192.168.12.0/24? - No...

access-list access_inside extended permit tcp 192.168.13.0 255.255.255.0 host 192.168.12.254 eq smtp

access-list access_inside extended permit tcp 192.168.13.0 255.255.255.0 host 192.168.12.256 eq smtp

access-list access_inside extended permit tcp host 192.168.12.254 any eq smtp

access-list access_inside extended permit tcp host 192.168.12.258 any eq smtp

access-list access_inside extended deny tcp any any eq smtp

access-list access_inside extended permit ip any any

access-group access_inside in interface inside

The above access-list are applied to the inside interface for when packets are entering the network. From the access-list above all networks from the 13.0 are able to connect to the 12.254 and 12.256 on port 25. Also any device is able to connect to 12.254 and 12.258 also on port 25 and then any other packets which have a desti port of 25 should be dropped.

The problem I have is I have a remote site, internal network 192.168.16.0 who is able to connect to 192.168.12.247 on port 25. Which should be dropped by this access-list 'access-list access_inside extended deny tcp any any eq smtp'

Is the inside interface access-list not applied to traffic which is from a tunnel? The outside access-list have not affect as the traffic is tunneled in. But as the packets are going to the inside interface the access-list should kick in.

Jouni Forss · ‎04-12-2012

Hi,

Your inside access-list is applied to "in" direction. This means it only applies to traffic initiated from behind that interface, towards that interface.

I assume the access-list you have showed here is from the ASA at the site where the server is. That means the access-list doesnt apply to the traffic coming from the outside interface. (From where the actual SMTP connections from network 192.168.16.0/24 are coming from)

For the traffic coming from the VPN tunnel you have to do one of these things:

Deny the traffic in question directly at the remote sites ASAs inside interface access-list thats attached to the inside interface in direction "in". This is the easiest way to do it.
Use the "no sysopt connection permit-vpn" (or abit different format in older software) to make it so that all VPN traffic coming from your ASAs outside interface has to go trough the outside access-list rules. This might be an easy solution IF you have only few VPN connections since using this setting means you have to open holes to the access-list for every connection taken from behind any VPN connection.
Create a VPN filter ACL that you will attach to the L2L VPN Connection on one of the ASAs. L2L VPN filter list is abit different from the typical interface access-list so I wouldnt suggest this as a first choice. It also isnt as flexible as the 2 previous options.

So i would suggest that you block the SMTP traffic right at the source. And that would be the remote sites ASAs inside interface. This would block the traffic when the SMTP connection attempt from comes from that ASAs local network. It wouldnt even reach the SMTP servers site.

- Jouni

John Peterson · ‎04-12-2012

JouniForss wrote:

Hi,

Your inside access-list is applied to "in" direction. This means it only applies to traffic initiated from behind that interface, towards that interface.

I assume the access-list you have showed here is from the ASA at the site where the server is. That means the access-list doesnt apply to the traffic coming from the outside interface. (From where the actual SMTP connections from network 192.168.16.0/24 are coming from)

Yes traffic is comming from the 16.0 network which is connecting to the email server. As the access-list is applied in the 'in' direction when packets are coming into the interface surly the 'access-group access_inside in interface inside' cmd will check ALL packets coming into the inside interface whether is be from VPN of outside?

The VPN tunnel would bypass the outside access-list as the traffic is tunneled in, but once the packet is inside the firewall the inside interface access-list should block the packet.

This is one of our sites we have and while I understand I would filter traffic from the site to site access-list list I would have to do this for all the sites and I would have thought that having and access-list applied on the inside interface would filter all traffic based on the rules.

Jouni Forss · ‎04-12-2012

Hi,

I'll write below a simple example using your networks and blocking STMP connections from site

Site 1

Network: 192.168.12.0/24
Lan interface nameif = inside
Lan interface access-list = INSIDE-IN

Site 2

Network: 192.168.16.0/24
Lan interface nameif = inside
Lan interface access-list = INSIDE-IN

Other information

All traffic allowed from Site1 to Site2
SMTP traffic from Site2 to Site1 network denied
All other SMTP traffic from Site2 allowed

The configuration would be the following

Site1

access-list INSIDE-IN remark Allow all traffic from Site1 to Site2

access-list INSIDE-IN permit ip 192.168.12.0 255.255.255.0 192.168.16.0 255.255.255.0

access-group INSIDE-IN in interface inside

Site2

access-list INSIDE-IN remark Deny all SMTP traffic from Site2 to Site1

access-list INSIDE-IN deny tcp 192.168.16.0 255.255.255.0 192.168.12.0 255.255.255.0 eq smtp

access-list INSIDE-IN remark Allow all other SMTP traffic from Site2

access-list INSIDE-IN permit tcp 192.168.16.0 255.255.255.0 any eq smtp

access-group INSIDE-IN in interface inside

So as the above configuration shows, the situation is very simple.

Site1 can initiate any connection to Site2
Site2 SMTP connections towards Site1 are blocked
All other SMTP connections from Site2 is allowed

As both sites access-list are attached to inside interfaces in the direction "in" they are ONLY APPLIED to traffic thats beeing initiated from a network behind the INSIDE interface TOWARDS the INSIDE interface. The access-list have absolutely nothing to do with the traffic arriving through the VPN to the local LAN network.

If the direction of the applied access-list would be in the direction of "out" it would mean that the access-list was watching traffic thats headed towards the local LAN. In other words the traffic was headed out of the interface INSIDE.

- Jouni

John Peterson · ‎04-16-2012

Hi Jouni,

Sorry for the delay, you are abolustly right, after thinking about it I was thinking the VPN traffic came from the inside, but its from the outside. The traffic comes from the outside and therefore the access-list would need to be applied on the inside to deny the remote subnet.

Thank you.