ASA understanding on ACL

I'm trying to configure VPN.  Installation is easy, but the ACL can be quite difficult to operate properly even if something is missing.  It seems that I can ping and access my server network.  I can access and ping my main switch with no problems.  Anything pass that I can't reach, ping or access.

I went up to create a Standard ACL to an elongated and won't work.

What is missing to make this work properly?

Assuming that the network that you are trying to access is connected to the ASA inside the interface.

So, if you run the command: "sh run nat", you should see a declaration of exemption NAT as follows:

NAT (inside) - 0 access list

On this access list, you must add an access list line indicating to allow source: the network behind the main switch that you tried to access to the subnet to vpn ip pool.

And on your main switch, if ASA is not the default gateway, you need to add route for the subnet ip pool to the ASA.

Hope that helps.

Tags: Cisco Security

Similar Questions

  • need help to understand the ACLs and security levels

    I use static NAT (nat (inside, outside) static interface) between a single host inside for the DHCP address used on the external interface. The inside interface has the security level of 100, and the outside has the security level of 0. My understanding is that for connections with State, I wouldn't need the ACL. However, nothing works unless I set up an ACL (for example, right now I have a global allow rule). What Miss me?

    Even if you 'dormant', but you still have the access list applied on the interface which, by default, will have the "deny ip any any" implicitly at the end of the access eventhough list you have existing line "inactive".

    To remove access from the inside of the interface completely list, you must remove the following line:

    inside_access_out access to the interface inside group

  • ASA 5510 Firewall ACLs HITCOUNT

    I have a simple question, but I'm having a hard time getting a response. When you show command access-list on the ASA 5510 there are a number of access... .i know clearly but I want to knowis it a default timer which will clearly be the number of accesses? Or the number of access remains until I have clear the County? I'm trying to clean up ACLs and for future troubleshooting I would like to know that. I don't want to remove an ACL entry with hitcount 0 and then it is necessary.

    The counters are there until one of two things will happen; you delete them manually or you restart the device. There is no timers to clear the counters. Usually, clear us the counters, let it run for a month or so to clean it up.

    Hope that helps.

  • Problem Cisco ASA and downloadable ACLs

    Hi all

    Can someone shed some light on how configure ACS for acl user base download.

    We used the TACCAS for remote access user authentication.

    I need a config on ASA or should I just set up the strategy of /authorisation element profile and link the user profile?

    Thanks in advance

    Example of configuration.

  • Site2Site VPN ASA 5505 - allow established traffic

    Hello

    I have an ikev1/Ipsec tunnel between two ASA.

    Network with local 10.31.0.0/16

    The other network with local 172.21.0.0/24

    But I would like that only traffic that is launched from the 10.31.0.0/16 is allowed to 172.21.0.0/24 to 10.31.0.0/16 is it possible?

    (to answer 10.31.0.0/16 is enable between this remote network 172.21.0.0/24)

    Best regards, Steffen.

    Hello

    If I didn't understand anything wrong in the above question then I think you might be able to perform the following operations on the ASA with the local network of 10.31.0.0/16.

    The ASA has the following global configuration, which is the default if you don't the have not changed

    Sysopt connection permit VPN

    This show CUSTOMARY in CLI configuration given above is the default setting.

    You can check this with the command

    See the race all the sysopt

    This will list even the default setting

    Now that this configuration means essentially is allow ALL traffic that comes through a VPN connection to get through the ASA ACL interface. So in your case at the location where the ASA with the network 10.31.0.0/16, the ASA would allow connections coming through the other network of 172.21.0.0/24 sites (as long as it was OK on other sites ASAs LAN interface ACL)

    What you could do is to insert the following configuration

    No vpn sysopt connection permit

    What this would do is ask you to ALLOW ALL traffic that is coming through the VPN connection via the interface ' outside ' of the ASA you want to spend. (which I suppose is the name of your current interface that handles VPN connections). In other words, the VPN traffic would not receive a "pass" to get through the ACL of 'outside'interface, instead you must allow as all other traffic from the Internet.

    If you decide to do, then you MUST CONSIDER the following thing. If you have other VPN connections as other connections L2L VPN or VPN Client, THEN you must first allow their traffic in your 'external' ACL interface for the SAA to the LAN. If you do this and insert the configuration above, you will notice that the traffic will start to get blocked by the "external" ACL interface (or if you don't have an ACL configured then the ASAs 'security level' will naturally block traffic in the same way as would an ACL)

    So if we assume that the L2L VPN is the only link you had configured on the SAA with 10.31.0.0/16 then the following changes would happen.

    • Hosts in the network 10.31.0.0/16 would be able to open connections to the remote network of 172.21.0.0/24 provided interfaces LAN what ACL allow this traffic
    • Return for this connection of course traffic be would allow by the same ASA like all other traffic.
    • IF certain incoming connection requests to the ASA with 10.31.0.0/16 network 172.21.0.0/24 network, it could crash except IF you ALLOW it to the 'outside' interfaces ACL

    Hope this made sense and helped

    Think about scoring the answer as the answer if it answered your question.

    Naturally ask more if necessary

    -Jouni

  • Downloadable ACLs for users of VPN

    Hello

    I replaced the old pix with ASA (7.2). There were groups configured for the remote VPN users authenticated through the ACS and ACS download a specific ACL for each group to the PIX. After the replacement, users cannot establish the VPN connection. After troubleshooting, I discovered that the downloadable ACLs were not working very well. When I disabled this option the established tunnel. When I get back to the old pix with the same configuration, it works very well with downloadable ACL option. I opened a TAC case and he said the v3.0 ACS (I) are not compatible with the ASA. He did not really convince me and he asked to try to use the option to pair AV. I tried option pair AV with ASA and it did not work also. can you please advice.

    Hello

    Check out this point,

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCef21184

    In addition, 3.0 is very old, and I guess that in this version, we have "Downloadable PIX ACL" and not "downloadable IP ACL", on ASA download able ACL will work but with "Downloadable IP ACL" but not with "Downloadable PIX ACL".

    Kind regards

    Prem

  • ASA - question Interface (IPSec)

    Is it possible on an ASA to "split" the interfaces (e0/0-e0/1 * e0/2-e0/3) to behave in ways that work as distinct from the ASA?

    Goal (2 separate functions)

    --------------------------------

    Function 1

    E0/0 - outside Interface - ISP

    E0/1 - inside Interface - traditional LAN

    2 function

    E0/2 - Interface Outside2 - to be used for an IPSec tunnel through another external network (BGP cloud)

    restricted E0/3 - Inside2 - LAN

    *****************************************

    -e0/2 e0/3 do not cross e0/0 or e0/1 (or vice versa).

    -e0/2 is only used to connect to a remote site, so that the network of remote sites and e0/3 network communicate with each other.

    *****************************************

    I'm not sure it will work, as the route default statement e0/0 quad kill my traffic lanes of the tunnel between the remote and e0/3 site.

    Thoughts or comments?

    Yes, you should be fine. The command I posted above shows that packets are getting encrypted / decrypted. The ASA increments hit ACL of the charges for traffic encrypted/decrypted.

  • Transfer between Cisco ASA VPN Tunnels

    Hi Experts,

    I have a situation where I need to set up the transfer between two VPN Tunnels completed in the same box ASA. A VPN Tunnel will incoming traffic and that traffic should be sent to the bottom of the other VPN Tunnel to the ASA. The two VPN Tunnels are from the Internet and speak with the same IP address of the ASA peers.

    Retail

    Tunnel A

    Source: 192.168.1.0/25

    Destination: 10.1.1.0/25

    Local counterpart: 170.252.100.20 (ASA in question)

    Remote peer: 144.36.255.254

    Tunnel B

    Source: 192.168.1.0/25

    Destination: 10.1.1.0/25

    Local peer IP: 170.252.100.20 (box of ASA in question)

    Distance from peer IP: 195.75.75.1

    Can this be achieved? what configurations are needed in the ASA apart cryptographic ACL entries?

    Thanks in advance for your time.

    Believed that, in this case your config is good, and you can avoid using routes on your asa since it must route based on its default gateway, make sure you have good sheep in place rules and the inter-to interface same-security-interface allowed return you will need.

  • VPN between PIX and ASA

    I have a vpn beteen two sites, which works very well. traffic is launched from site A and can connect to the site B ok.

    I just tried to set up traffic from site B to site A, but its failure the vpn encrypt point. I checked the acl and they match:

    site A (PIX)

    Crypto acl

    access-list site_a permit tcp host 10.51.3.32 10.0.0.0 255.0.0.0 eq 3389

    no nat

    no_nat list of allowed access host ip 10.51.3.32 10.0.0.0 255.0.0.0

    site B (ASA)

    Crypto acl

    Site_B list extended access permitted tcp 10.0.0.0 255.0.0.0 host 10.51.3.32 eq 3389

    no nat

    access-list extended sheep allowed ip 10.0.0.0 255.0.0.0 10.51.3.32 host

    the only difference I see is the extended acl, but it works well in one direction?

    Thank you

    Hello

    Using port-based ACLs for crypto card is not recommended, use IP access lists and configure VPN filters to implement port restrictions.

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

    Kind regards

    Averroès

  • Unable to pass traffic between ASA Site to Site VPN Tunnel

    Hello

    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you

    Adam

    Hello

    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

    -Jouni

  • Unable to Ping IP across 2 IPsec Tunnels

    Hello world

    Here's the Setup program

    Server1 - layer 2 switch-ASA1 -L2 tunnel-ASA2 -Layer2 tunnel-ASA3- layer 2 switch - Server2.

    Server1 IP 10.31.2.83/28

    Server2 IP 10.31.2.35/28

    Server1 has its default gateway to ASA1

    Server1 can ping the ASA1 but cannot ping the Server2.

    ASA1 is also unable to ping server2.

    Ping 10.31.2.35
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
    ?????
    Success rate is 0% (0/5)

    ASA2 can ping the Server2

    Ping 10.31.2.35
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 10.31.2.35, wait time is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10

    ASA2 can ping Server1

    Ping 10.31.2.83
    Type to abort escape sequence.
    Send 5, echoes ICMP 100 bytes to 10.31.2.83, wait time is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10

    ACL is allowing traffic, routing, crypto card also allows the traffic.

    What else can I check?

    Any help is appreciated.

    Concerning

    Mahesh

    I don't understand what you mean with Tunnel of Layer2. Is it relevant to this question?

    IPsec is involved?

    Do you have any troubleshooting basic Layer 3? Check the routing information?

    (1) the ASA2 has 2 interfaces, one for each tunnel?

    • ASA2 there transatlantic lines?

      • 10.31.2.80 255.255.255.240 to ASA1
      • 10.31.2.32 to ASA3 255.255.255.240

    (2) ASA2 has only one interface for the two tunnels?

    • You same-security-traffic allow intra-interface?
    • If IPsec is involved, understanding Cryptography ACLs on ASA2
      • 10.31.2.80/28-> 10.31.2.32/28 to ASA3
      • 10.31.2.32/28-> 10.31.2.80/28 to ASA1

    The following command will help all three ASAs:

    SH, route

    HS card crypto

    SH crypto ipsec his (look for the counters of packets on the SAs)

    Best regards, MiKa

  • is it possible this with remote vpn access?

    Hello

    I have access to my corporate network through the VPN Cisco (software) customer and it goes through the vpn to access configuration remote ipsec on an ASA 5510. Everything works fine.

    But now that connect to the corporate network users also need access to remote sites connected by tunnels VPN site to site networks: tunnels IPSec between mentioned ASA5510 and distance ASA5510s and ASA5505s in the branches.

    Is this possible?

    If so what shoud I consider make it works?

    My setup looks like

    business network: 10.1.1.0/24

    Remote vpn clients receive the ip addresses of: 10.0.5.0/28

    Branch on the remote 1 network: 10.1.10.0/24

    network of remote sites 2: 10.1.20.0/24

    3 remote site network: 10.1.30.0/24

    There rule for NAT exemption which exempts the networks 10.1.10.0/24, 10.1.20.0/24, 10.1.30.0/24

    All traffic on the local network 10.1.1.0/24 have complete ip connectivity with all networks in the branches. The PROBLEM is that the remote vpn clients can reach only local network 10.1.1.0/24, but not the remote networks.

    The ASAs in remote sites has created NAT exemption to the two local network 10.1.1.0/24 and network 10.0.5.0/28 remote access clients, but as I said, it won't. Help, please!

    Thanks in advance!

    Zoran

    Yes, you can...

    Let's take 1 remote sites for example network: network of agencies 1 (10.1.10.0/24):

    Company ASA:

    -If you have split tunnel configured for the VPN Client, you must also add the remote site network in the list (10.1.10.0/24).

    -Crypto ACL between the company ASA and ASA 1 remote sites must have added the following:

    10.0.5.0 ip access list allow 255.255.255.240 10.1.10.0 255.255.255.0

    -' same-security-traffic permit intra-interface' must be configured

    On the remote control of the branch 1 ASA:

    -Crypto ACL between remote branch 1 ASA and company ASA must have added the following:

    ip 10.1.10.0 access list allow 255.255.255.0 10.0.5.0 255.255.255.240

    -Rule of exemption NAT to exempt traffic:

    ip 10.1.10.0 access list allow 255.255.255.0 10.0.5.0 255.255.255.240

    Clear the tunnels of both ends and test the connectivity.

    I hope this helps.

  • ASA ACL question

    I'm new to the ASA and try to understand something with ACL. It will take I understand about their creation and by adding entries and that all should have the same name, but I'm confused about the ACLs that do not have the same name that already exist on a device or may be named differently.

    For example:

    Access-List Corporate1 permit tcp any any eq www

    Access-List permits Corporate1 tcp everything any https eq

    Access list ip Inside_Out allow a whole

    Access-group Coprorate1 in interface outside

    Ignoring the content at the moment, I have 2 ACL: one with 2 inputs and one with a single entry. The Corporate1 of the ACL applies within the interface and is active. I get this part... My question is: is the Inside_Out of the grouped ACL in automatically with the ACL and activates them as well active or is it safe to say it is not active and can be removed without causing damage? Is the ACL only activates the ACL with the same name as the Access-Group Corporate1?

    I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated.

    -Jon

    Working with ACLs imply always two steps:

    1. You configure the ACL (with possibly multiple lines but the same name).
    2. You set the ACL to a function. Which might be filtering on an interface with the control-group-access, but is not limited to the one that the ACL is used in several places when the ASA must match the traffic.

    (If you did both) 1 and 2), then the ACL is active and currently in use. If you have set up the ACL only but the ACL was never assigned to a function, then the ACL is not active and can be removed.

    In your example:

    If you find that the ACL 'Inside_Out' but you don't know if the ACL is used, then do one

     sh run | inc Inside_Out

    If the output shows only the ACL lines, it is unused and can be removed.

     clear configure access-list Inside_Out

    Or it is but not used must be used, and then apply the ACL for the desired purpose.

  • Cisco ASA Cisco 831 routing static. help with ACL, maybe?

    Hi all

    What should be a simple task turns out to be difficult and I really need help.

    The Cisco ASA obviously isn't a strong point on mine and could do with a point in the right direction. I hope that this will allow me to learn more about the ASA 5505.

    OK so I have an ASA 5505. VLAN 1 is 192.168.254.1 and VLAN 2 DHCP of my cable modem.

    I have a cisco 831 Ethernet router that will sit between my main LAN and my LAN test I want to implement for multicasting. the Cisco 831 has 1 Ethernet as 192.168.254.254 and Ethernet 0 is 10.1.1.1.

    The ASA I have an interior route 10.0.0.0 255.0.0.0 192.168.254.254.

    On the Cisco 831, there is a route 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic via Cisco 831 to the ASA 5505 and internet, for example I can ping 8.8.8.8 and access everything on my main local network, but the other wan of any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.

    Where I'm going wrong? I did all my access to my a whole ASA, but it is still unable to do anything.

    I will attached my configs with deleted passwords here and would like a good kick in the right direction. Without a doubt, it's something simple I'm missing and I'm sure it's with the ACL on the ASA 5505 like the packet tracer said that the package is abandoned due to the ACL

    Thank you. :)

    Thus, all traffic between these two LANs will travel on ASA, on the same interface.
    Then please add this command in the global configuration of the ASA:
    permit same-security-traffic intra-interface

  • Cisco asa 9.1: crypto acl - order, order of operations,.

    Hello

    Let's say we have the following configuration

    VPN1 list extended access permitted ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

    card crypto mymap 10 correspondence address vpn1

    card crypto mymap 10 peers set x.x.x.x

    access-list extended 192.168.1.0 ip VPN2 allow 255.255.255.0 10.1.1.0 255.255.255.0

    mymap 20 match address vpn2 crypto card

    card crypto mymap 20 peers set y.y.y.y

    In the above example, what happens if you intend to send a packet to a host on the 10.1.1.x and her counterpart that x.x.x.x is down (not SA).

    If Asa will verify that the SA is down or away he starts the process of the next crypto access list according to the sequence number of crypto card? or simply drag the package?

    If Asa trial next crypto map entry/crypto acl and that if no matching ACL? Packets are sent as clear text?

    Thank you explantion

    Peter

    Hi Peter,.

    This would work if the first tunnel is down and there is not SA for her.

    However, it is not recommended to overlap crypto ACL.

    Kind regards

    Aditya

    Please evaluate the useful messages and mark the correct answers.

Maybe you are looking for

  • Driver for dell printer

    I have a Dell 944 all-in-one printer and it will not work with windows 7. Can I use a few other drivers to make it work with windows 7. It worked with windows XP which is 32-bit. Windows 7 m is 64-bit.  Shoiuld I simply buy another printer?

  • ISE licenses and profiling service

    Hello I tried to find the explanation of the use of the licenses of the ISE, but I'm still not sure about one thing. With the license, when the profiling service is enabled; is the number of endpoints consumed by the more license for each endpoint th

  • License upgrade and the previous edition of Windows 7

    Hi, this may seem like an unusual question, but I'm lost and I don't know what position of Microsoft on this. I upgraded to Windows 7 Home Premium to Windows 7 Ultimate machine. Does this mean that I can now use the Home Premium license on a virtual

  • When I turn on the PC with vodafonstick as a sign of internet service flashes up to 20 entries.

    Original title: my pc seems to act crazy when I turn it on with vodafonstick as a sign of internet service flashes up to 20 entries, what could be the problem? Please help me?

  • e-mail do not sync on surface

    E-mail worked until a few days ago, but now it says * address email is removed from the privacy * is not available. I can access it in IE and win the phone 8. I checked all the settings and files synchronization is enabled.