ASA ACL question
I'm new to the ASA and try to understand something with ACL. It will take I understand about their creation and by adding entries and that all should have the same name, but I'm confused about the ACLs that do not have the same name that already exist on a device or may be named differently.
For example:
Access-List Corporate1 permit tcp any any eq www
Access-List permits Corporate1 tcp everything any https eq
Access list ip Inside_Out allow a whole
Access-group Coprorate1 in interface outside
Ignoring the content at the moment, I have 2 ACL: one with 2 inputs and one with a single entry. The Corporate1 of the ACL applies within the interface and is active. I get this part... My question is: is the Inside_Out of the grouped ACL in automatically with the ACL and activates them as well active or is it safe to say it is not active and can be removed without causing damage? Is the ACL only activates the ACL with the same name as the Access-Group Corporate1?
I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated.
-Jon
Working with ACLs imply always two steps:
- You configure the ACL (with possibly multiple lines but the same name).
- You set the ACL to a function. Which might be filtering on an interface with the control-group-access, but is not limited to the one that the ACL is used in several places when the ASA must match the traffic.
(If you did both) 1 and 2), then the ACL is active and currently in use. If you have set up the ACL only but the ACL was never assigned to a function, then the ACL is not active and can be removed.
In your example:
If you find that the ACL 'Inside_Out' but you don't know if the ACL is used, then do one
sh run | inc Inside_Out
If the output shows only the ACL lines, it is unused and can be removed.
clear configure access-list Inside_Out
Or it is but not used must be used, and then apply the ACL for the desired purpose.
Tags: Cisco Security
Similar Questions
-
ASA "route inside 0 0 192.168.1.1 by tunnel" interface ACL question
Hello
Small question around the road inside 0.0.0.0 0.0.0.0 192.168.1.2 in tunnel command.
Do you need to add a u-turn traffic within the ACL interfaces (for example internet related http traffic) or 'same-security-traffic permit intra-interface' negates the need of this?
So if my site remote vpn outside is 10.1.1.0/24 should I add entering permitted statements for the 10.1.1.0/24 inside my interface.
Thank you
same-security-traffic permit intra-interface allows then-input-output traffic on a single interface
allowed incoming 10.1.1.0/24 statement in the list ACL allows traffic (output - then-) penetration on a single interface, but you must disable the RPF check
-
I have a few question ACL. I'm not clear on the source address and the destination address in the following cases.
Case 1
My IP WAN1 is 1.1.1.1, my FTP server is 192.168.1.2 port 23
If I have access to FTP from internet, use ftp://1.1.1.1:23, so what's my IP ACL of source and destination IP? 1.1.1.1 is source? destination is 192.168.1.2? or any?
Internet-(Outside 1.1.1.1) ASA (inside 192.168.1.1) - FTP (192.168.1.2)
Case 2
My WAN1 is always 1.1.1.1 and FTP is 192.168.1.2 port 23
If I use the ftp://1.1.1.1:8023internet FTP access, what the ACL source IP address and destination?
I tested in both cases = any source and destination = everything is OK.
But I confused. I still think the Source address is IP WAN1.
Hello
You access the server FTP from the Internet and most likely, you won't know what ip address you will be source. In this case, your source ip address will be everything. If you know the ip address on the Internet that will have access to your FTP server, and then you specify it as the source. You access list will be as follows:
access-list extended 100 permit tcp any host 1.1.1.1 eq 21
access-list extended 100 permit tcp any host 1.1.1.1 eq 20
or
access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 21
access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 20
(if you know the network or host who will have ftp access)
You must also make sure that you have configured static NAT and inspection of the request to your FTP server
Thank you
John
-
Cisco ASA.
For example, I have the subnet in the tunnel of splitting ACL 192.168.0.0/16. I need made an exception to remove 192.168.89.0/24 in the ACL CE-tunnel - what is the best way to do it?
Hi rioneljeudy ,
You can restrict the subnets in the ACL used for the tunnel of split for example change the 16 something more specific or apply a filter, VPN policy. See an example on the following link:
It may be useful
-Randy-
-
Hello
I have a star topology IPSec VPN using a Cisco ASA as the hub and a PIX506e such as the rays.
Two of the rays also have an IPSec VPN between them.
The hub site connects to a WAN.
The sites of two rays have the following ranges
Spoke 1 = 10.154.10.0/24
Spoke 2 = 10.156.10.0/24
Hub = 10.8.0.0/24 site - but also connects to all other addresses in the range 10.0.0.0/8 with a back end WAN connection.
I was looking for a way to 'Nice' configure crypto ACLs so that the traffic between the spokes 1 and 2 would be direct and then everything from 10 would go through the hub site. Rather than try to clear all the subnets in 10.0.0.0/8 except 10.156.10.0/24 & 10.154.10.0/24 in an ACL.
If I order the cryptographic cards on the RADIUS, so the most accurate is first example (the map speaks of talking), then a card encryption to 10.0.0.0/8 for hub is second, it would work?
So we talked 1.
!
allowed to access-list to-speaks-2 ip 10.154.10.0 255.255.255.0 10.156.10.0 255.255.255.0
IP 10.154.10.0 allow Access-list to hub 255.255.255.0 10.0.0.0 255.0.0.0
!
outside_map 100 ipsec-isakmp crypto map
card crypto outside_map 100 match address to-speaks-2
card crypto outside_map 100 peer set 1.2.3.4
transform-set set card crypto outside_map 100 standard
outside_map 200 ipsec-isakmp crypto map
card crypto outside_map 200 correspondence address to hub
peer set card crypto outside_map 200 8.9.10.11
transform-set set outside_map 200 crypto card standard!
Any thoughts?
Yes, reject the order is absolutely supported. Well... I forgot about 'decline' crypto ACL
-
Inbound and outbound ACL question
I want to restrict inbound and outbound traffic with access-lists on my PIX 515. May be this is a stupid question, but I don't know how the acl pix treatment directions of traffic. Let's say that I encouraged in traffic ntp to the outside to the inside host inbound_acl, I need to open port ntp also in the outbound_acl pass the ntp response?
Is it the same for the other direction (inside origin traffic)?
Thanks for any response.
Hello
If you open port NTP of outside inside the host, PIX will maintain this session state and will return by the hosts inside circulation. The default is no ACL out (ACL equivalent to entering on the inside of the interface). The statefull inspection rule is the same for all directions/interfaces.
Thank you
Nadeem
-
Concentrator VPN VPN ASA Conversion question
I sent our VPN3k config to the CTA and converted it to the format of the SAA. A major problem that I see is that the hub has enabled a group name (which is equivalent to a group of tunnel on the SAA) with spaces inside and the ASA does not work. Our primary RA VPN group is 'All staff' in the config converted, it's "All_Staff" and I guess that this is going to work for users with the existing VPN client configuration file.
We have hundreds of users a new file of confiog or attempt to explain how to fix this problem manually is out of the question. Are there of the other workarounds?
Thank you.
Try to rename the group to "All staff" (including the quotation marks!)
so
dial type tunnel-group "everyone".
HTH
Herbert
-
I plan to put this ACL inside interface to the following ports prevent out of the ' net. I do not want to interrupt the other IP traffic and hoped just a validation test to ensure I have make it a law. I wouldn't ruin my inside interface.
access-list 130 tcp refuse any any eq 135
access-list 130 deny udp any any eq 135
access-list 130 deny udp any any eq netbios-ns
access-list 130 deny udp any any eq netbios-dgm
access-list 130 tcp refuse any any eq 138
access-list 130 tcp refuse any any eq netbios-ssn
access-list 130 tcp refuse any any eq 445
access-list 130 tcp refuse any any eq 593
access-list 130 tcp refuse any any 3127 3199 Beach
access-list 130 ip allow a whole
I don't know if I should put the "permit ip any any" at the end of the ACL or early.
the entry that allows any one must be placed at the end of the acl, as the acl works in order.
-
Hey everybody! Currently, I encountered a problem. I have set up for a RDP client and it works when we reached the WAN IP on port 3389. However, it works for everyone and not only for our network (were an ISP with a 23 network that we work from the desktop). I want only our network in order to control remotely on the server, we have put in place on the client's site.
It's the ACL, I have set up on the WAN interface by using "ip access-group 100 in ' but it does not work, and I don't really know why. It should allow us in, then block everyone. No idea why its not working? When I apply it, no one can remote on this server.
access-list 100 permit tcp 0.0.1.255 X.X.X.X host 192.168.1.4 eq 3389
access-list 100 tcp refuse any any eq 3389
access ip-list 100 permit a whole
What is the subnet configured on WAN?
What is the address of the RDP server used to connect?
A private ip address or pubblic?
Try changing the with the pubblic ip 192.168.1.4.
Kind regards.
-
I work to install and configure a RVS4000 for a friend and wanted to check my understanding of the firewall section. He
by default the firewall allows traffic from any source to any destination, including Wan. I realize with NAT, this isn't a huge concern / should not be the case... but I tend to prefer the highest standards rather than more flexible. I wanted to make sure that it permits launched in-house traffic outgoing and inbound external traffic dropped, so I created the rules as an attachment shows. I look at this properly? Is the firewall ACL section to implement a dynamic firewall or what a pure ACL and the rule of the last of the WAN is required for the return of traffic which has already been in the NAT search engine?
If someone could help me please clear this one small detail I would greatly appreciate.
Thanks in advance.
The ACL is just this ACL. The rules that you are fine, the difference with your implementation and the default value is that you explicitly deny traffic; that is not an idea of bed. On that note, this does not mean that traffic has been explicitly allowed before (default configuration).
Before the creation of all the rules are a "deny an entire" is already in place but not displayed. This is typical routers small businesses and consumers. The only thing I would change is to supplement the subnet, right on it "any."
I hope this helps.
-
Hi, I was able to migrate my clients off the VPN concentrator 3030 and on the ASA 5520 VPN. The problem I have is now the ASA sees these clients VPN from my external interface and they can get of the demilitarized zone, because I did the specific NAT and rules for inside. Is there a way to make the VPN client network seems like it comes from inside network?
You are welcome Daniel.
Don't forget to write down the message and choose "solved my problem" which was helpful and solved your problem.
Concerning
-
Hello all, I have problem with an IPSec tunnel and always looking what is exatly the problem. Have 2 ASA AAA. AA. AAA. A and BBB. BB. BBB. B where BBB. BB. BBB. B has 2 interfaces LAN is another DSL modem. When there is no problem with LAN tunnel is ACTIVE, but when I ALS rocking a few errors on the tunnel:
IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop
IP = AAA. AA. AAA. A, package in double Phase 1 detected. Retransmit the last packet.
SH isakmp sa is:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: AAA. AA. AAA. A
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG4
If the router is waiting for ack but not expected and there is no package.
At both ends, I deleted:
cry clear isa
cry clear ipsec
I checked the peer addresses are correct, what is bodering me, it's the missing package. I think that this packet is sent to the other interface which is down and so the other ASA cannot get the negotiation.
I will be grateful if anyone can help, I'll debug and sniff for that.
Here are the configs and small on isakmp debug information
Router AAA. AA. AAA. A config:
outside_cryptomap_60 list of allowed ip extended access object-US-VPN VPN - US group object
Route outside 0.0.0.0 0.0.0.0 XXX. XX. XX.1 1
Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 60 match address outside_cryptomap_60
game card crypto outside_map 60 peers BBB. BBB. BB. B CC. CCC. C.CCC
card crypto outside_map 60 value transform-set ESP-AES-SHA
life safety association set card crypto outside_map 60 28800 seconds
card crypto outside_map 60 set security-association life kilobytes 4608000
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
tunnel-group BBB. BBB. BB. B type ipsec-l2l
tunnel-group BBB. BBB. BB. B ipsec-attributes
pre-shared-key *.
ASA BBB. BB. BBB. B:
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_cryptomap_1
card crypto outside_map 1 set of AAA peers. AA. AAA. A
card crypto outside_map 1 the value transform-set ESP-SHA-3DES ESP-AES-SHA
outside_map interface card crypto outside
card crypto outside_map interface outsideadsl
crypto ISAKMP allow inside
crypto ISAKMP allow outside
ISAKMP crypto enable outsideadsl
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
ISAKMP crypto am - disable
debugging isakmp 127
28 Dec 11:58:01 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE initiator: New Phase 1, Intf inside, IKE Peer AAA. AA. AAA. A local Proxy 192.168.0.0, address remote Proxy 192.167.0.0, Card Crypto (outside_map)
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 02 NAT-Traversal vid construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 03 NAT-Traversal vid construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 148
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction ke payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction nonce payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building Cisco Unity VID payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Xauth V6 VID payload construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, Send IOS VID
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A payload the IOS Vendor ID theft construction ASA (version: 1.0.0 capabilities: 20000001)
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction VIDEO payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. One, send Altiga/Cisco VPN3000/Cisco ASA GW VID
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) + (10) NUNCIO seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 256
28 Dec 11:58:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:07 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Treatment IKE payload
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A Message from FORWARDING IKE_DECODE (msgid = 0) with payloads: HDR + KE (4) + NUNCIO (10) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + (0) NONE total length: 256
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. A, exchanging information processing failed
No degDec 28 11:58:12 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:12 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
Don't know if that's the only issue, but to start you need a 'tunnel-group C.C.C.C' ASA A.
If there is still a problem, download him debugs on both sides at the same time please.
Also, what version of the software the ASA work, and how you simulate the failure on the main interface of B? Is it possible that in your test one can always happen to B through its main interface?
HTH
Herbert
-
Hello
I have an asa5501.
I need to do:
limit traffic on an interface (class C subnet) in a few hours.
In fact I do it through a router 2611, with rate-limit orders... ACL..., but I cannot perform with calendar, I just "fixed" limit.
Any idea?
Thank you
Mauro
You can use the class-map command to match the traffic in your ACL to identify traffic for matches the QoS policies.
class-map map_name
corresponds to the list of access acl_name
This link should help.
Thank you
Chad
Please rate if this can help.
-
Hello
I try to put an ACL on a group policy on my VPN Ipsec Lan to Lan.
My LCD does not work and blocking all traffic.
Since it does not work with the ACLs on group policy, I put an ACL on the interface inside but do not match.
To match, I must decline any all a put before a permit.
Thank you
Hello
The main problem when the configuration of IPSec filters is that people set up a descendant. You must specify the inbound traffic you want to allow or deny.
Here is the document that explains how to configure filters. Take a look and if you have any problems please contact your VPN configuration.
Have fun.
Raga
-
Error SMTP sending reports by e-mail - not you usual ACL question
Apex 4.2.5.00.08
Data services Oracle REST 2.0.9
Recently, we changed our architecture around a bit of the APEX. Previously we used the Oracle HTTP server on the same host as the database. Now we pass the 'web' part of the APEX to another server using ADR with Apache TomCat. Under the old configuration, we have been able to send emails without any problem. However, when we try to do under the new configuration, we get the following SMTP error stack:
ORA-29279: SMTP permanent error: 503 #5.3.3 AUTH is not available
I would have thought that email would still go database server in the new configuration but, perhaps, it's fake.
1 ACL have been created
Start
() mailserver_acl
"mailserver_acl.xml,"
"ACL for mail server used to connect,"
"APEX_040200,"
TRUE,
'connect',
"MAILHOST",.
(null);
end;
/
TURN ON THE COMPUTER HOST, ACL
OF DBA_NETWORK_ACLS
WHERE ACL LIKE '% mailserver_acl.xml ';
HOST ACL mailhost / sys/ACLs/mailserver_acl. XML 2. I am able to send an email with success by Telnet to port 25 on * is * host and send emails directly from the command line interface.
3. I am able to send successfully from the database using the PL/SQL interface.
Any ideas?
Thank you
-Joe
When configure you the new application server, you MUST have reconfigured APEX, correct? So you can have the apex_mail settings not the same as the old installation.
Thank you
Tony Miller
Software LuvMuffin
Ruckersville, WILL
Maybe you are looking for
-
Problem with Vista hit the Satellite X 200 - 20 s
Sometimes during typing on vista, it will stutter and freeze. The time is very short. Is this a problem with vista or the laptop. The T7300 Core 2 Duo 2 ghz processor.
-
Green button McAfee lie 1/2 line display available for a single button. A way to move or delete this button? This has happened Each time Firefox opened == Installation
-
Tablet Z to HX950 XBR tv mirror screen
Hello I recently bought the xperia Z Tablet and would like to mirror my HX950 XBR screen. I tried the direct wi - fi and the activation of mirror screen on my tablet, but it's apparently not how to do it. I've heard of Miracast, but nothing in the ma
-
How to find the 2012 LabVIEW DSC module?
Hello We use different versions of LabVIEW, version 8.6 to LV2013. Its always a pain in the back to locate the different toolkits / modules for most not uptodate LV version. For now, I'm looking for DSC 2012, but I can't find, all links point to 2013
-
I get this error code when I try to use windows update... windowsupdate_80070641. How can I fix this?