dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5283
share rss forum feed


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

2 edits

[HELP] NAT vs Route vs ACL -ASA5505

Click for full size
Click for full size
I have success with my setup internally (within the inside LAN traffic is fine). With one static public IP address, I can get out to the internet from the inside LAN and the DMZ (excellent). However I have no success for outside users (on the internet) to access my servers within the inside LAN :-((

Legend:
GREEN - the outbound NAT (dynamic pat) which ensures outbound requests get routers WANIP and returning traffic gets back to the private LAN or DMZ originatin pc.

BLACK - the inbound NAT (static) rules to allow external internet users to access private Servers on the inside lan. The requests are external (unsolicited) and are pointed by service to the WANIP of the router. The requests need to get forwarded to server host PC.

PINK - the one inbound NAT rule whereby the port used by external users is portxx but needs to get translated to port YY before reaching the private server.

RED - Potential conflict between NAT and NAT and ACE.

Dark ORANGE - Default route created, that tells all requests going to the outside interface that they have a next hop of the gateway IP of the ISP.

BLUE - Basic extended firewall rules. The intent here is to limit the access of "any" in the above static nat rules to specific users (by IP, or subnet). Specific users to specific services.

Q1. Which of the two diagrams is likely to succeed?
(You will note that the main difference is that in the second diagram the original packet destination address is the public IP of the router vice the the private IP of the server in the first diagram)
Q2. Does the firewall rule apply BEFORE or AFTER the NAT rule.

Discussion. For port translation to work, in one of my NAT rules the incoming port needs to be translated from xx, to yy in my setup. The reason being is the yy is one of the services I have permitted in the firewall rule - due to thats the port used by the particular server. If firewall rules are applied first, then I have to additionally allow the initial incoming port.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Okay, that was easy. ACL rules are applied first then NAT rules.

My issue is that I was trying to apply static NAT Rules
(nat sourcintf,insideintf) which is the wrong approach even though unsolicited requests to access a private server originate on the WEB"......

Additionally, I was trying to use NAT Twice, whereas using NAT with object groups is much easier and I think what I actually need and specifically to the outside interface
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


HELLFIRE
Premium
join:2009-11-25
kudos:15
reply to Anav

Anav, if you're into some more heady ASA reading about NAT, I suggest this

I've been spending the last couple days refamiliarizing myself with ASA NAT -- and I thought IOS NAT
was bonkers. The thing that's been throwing me with your configs above is keyword NAT is used for
two types of NAT : Identity NAT (no translation of the real source addresses) and NAT Exempt (no
translation of real source address matched by the ACL), so yeah, looks like you may have been using
the wrong config.

If I got this right, the functionality you need is dynamic PAT from MAIN-LAN and BACKUP-ADMIN to the
WAN and for return traffic, and a static mapping from WAN to the server(s) users are supposed to
be accessing. In which case, these two lines of config should start you off :

 global (outside) 1 ab.abc.def.225 -- for the dynamic PAT
static ([server VLAN here],outside) [tcp | udp] ab.abc.def.225 [port #] [LAN IP here] [port #]
... -- 2nd mapping here
... -- 3rd mapping here
... -- 4th mapping here
 

Also looks like in the 2nd line above you could do the port x -> port y mapping you were discussing
earlier -- if I read it right, for example, opening up port 36892 and mapping it to port 25 from
the INSIDE interface.

By the way, I understand not revealing any static IP addresses, but to help me wrap my head around
what ports you need, can you give me the services and/or port #s you need exposed to the outside?

As for which order ASA does first, NAT or ACL, IIRC it was ASA 8.3 or 8.4 code that supposedly cleaned
up the order to make it more IOS-like, but before that it was one of those mystical secret society dark
arts things some people knew about but nobody ever told you.

Regards

bigsy

join:2001-07-18
ireland
kudos:1

said by HELLFIRE:

Anav, if you're into some more heady ASA reading about NAT, I suggest this

@ HELLFIRE See Profile: This is a better link as it covers NAT in ASA 8.4 and your link above is to 8.2 which might only further confuse the issue. As you mentioned, the whole thing changed with 8.3 and he's running 8.4(3): »www.cisco.com/en/US/docs/securit···iew.html


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to Anav

Bigsy, heh Im a barca fan by the way ;-P. But luv mUnited but WTF losing to a 5th ranked team. Shame. Go kick Sir AF.

I have solved the nat issues. Crisco has some weird ways of doing business and the fact they keep changing how they handle data has convinced me they use coke while developing.

Anyway I have changed all my NAT rules (basic anyway) to nested object nat rules. It seems me trying to assign objects and static nat separately resulted in a bunch of incorrect nat twice rules. As for the dynamic pat rules, the router makes one automagically for the inside lan and I successfully manually configured one for the DMZ (quite proud) but changed it to a nat nested object rule like the default one created.

The other hurdle was assigning default route outound (next hop).

CURRENT MINOR ISSUE (before I tackle vpns (ssl and ipsec) is password related.

I have been programming the router (HTTPS) for some time with no user name(blank) but a strong password. Which is required to enter ASDM, and the serial console, and first session of run windows congif session.

I just enabled authentication for ssh and HTTPS.
Expectation upon entering ASDM or Serial.

a. enter in router password
b. then asked to enter user name
c. then asked to unter user password.

The problem is now it does not ask me for router password.
How can I keep BOTH???
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


bigsy

join:2001-07-18
ireland
kudos:1

Have a read of »www.cisco.com/en/US/docs/securit···p1271409 and see if that helps explain what is going on.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Thanks for that.......

Okay I plugged in the router today with my newfangled nat rules and SAME result. No external access to servers on private IPs. I did still have access tot he internet (that worked fine).. I will post my latest file for perusal shortly



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit
reply to Anav

Okay my latest config follows.
To recap.
LAN to LAN Good!
LAN to internet Good!
DMZ to internet Good!
internet to private servers on LAN BAD :-((

: Saved
:
ASA Version 8.4(3)
!
hostname zyxelbeatsbattlestargalacticaandCisco
enable password SrnWJ82Q9IsDq97j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
no forward interface Vlan12
nameif main-lan
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ab.abc.def.230 255.255.255.248
!
interface Vlan12
nameif admin-dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
same-security-traffic permit inter-interface
object network obj_any_main-lan
subnet 0.0.0.0 0.0.0.0
description Applied by router ---> SNAT for main lan
object network TrustedInternetUsers
subnet ab.abc.def.0 255.255.255.0
object network Corporate-user
host 555.555.555.98
description Corporate Ojbect for access to TFS, OM
object network -remote-h
subnet 11.111.0.0 255.255.0.0
object network -remote-w
subnet 22.222.222.0 255.255.255.0
object network -remote2
host 33.3.333.4
object network -remote1
host 444.44.444.133
object network ISP-GatewayIP
host ab.abc.def.225
object network VS-pcIP
host 192.168.24.34
object network obj_any-admin-dmz
subnet 0.0.0.0 0.0.0.0
description Used to apply SNAT for DMZ (internet access)
object service input-port
service tcp source eq www destination eq www
object service OM1
service tcp source eq 5080 destination eq 5080
object service OM2
service tcp source eq 8088 destination eq 8088
object service OM3
service tcp source eq https destination eq https
object service TFS
service tcp source eq 8080 destination eq 8080
object service RDP
service tcp source eq 3389 destination eq 3389
object service RouterAdmin
service tcp source eq 33349 destination eq 33349
object network NAT4OM3
host 192.168.24.34
object network NAT4OM1
host 192.168.24.34
object network NAT4OM2
host 192.168.24.34
object network NAT4RDP
host 192.168.24.34
object network NAT4TFS
host 192.168.24.34
object network NAT4WWW2OM1
host 192.168.24.34
object-group network Router-Admin
description Remote access to adjust router settings
network-object object -remote1
network-object object TrustedInternetUsers
object-group network TFS-usergroup
description AgileGroup Access TFS, Open Meetings and RDP
network-object object TrustedInternetUsers
network-object object -remote-h
network-object object -remote-w
network-object object -remote1
network-object object -remote2
object-group service OMServiceGroup
service-object object OM1
service-object object OM2
service-object object OM3
object-group service CorporateServiceGroup
service-object object OM2
service-object object input-port
service-object object OM3
access-list TFS-FWrule extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list TFS-FWrule extended permit object TFS object Corporate-user object VS-pcIP
access-list OM-FWrule extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list OM-FWrule extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
access-list RDP-FWrule extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list Remote-Router-Admin extended permit object RouterAdmin object rm-remote any
access-list Remote-Router-Admin extended permit object RouterAdmin object TrustedInternetUsers any
pager lines 24
logging asdm informational
mtu main-lan 1500
mtu outside 1500
mtu admin-dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 33349
http server session-timeout 60
http 192.168.2.0 255.255.255.0 admin-dmz
http 192.168.24.0 255.255.255.0 main-lan
http 444.44.444.133 255.255.255.255 outside
http ab.abc.def.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 main-lan
ssh 444.44.444.133 255.255.255.255 outside
ssh ab.abc.def.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 admin-dmz
ssh timeout 10
ssh version 2
console timeout 0

dhcpd address 192.168.24.5-192.168.24.10 main-lan
dhcpd dns 66.666.6.96 66.666.6.97 interface main-lan
dhcpd enable main-lan
!
dhcpd dns 66.666.6.96 66.666.6.97 interface outside
!
dhcpd address 192.168.2.5-192.168.2.10 admin-dmz
dhcpd dns 66.666.6.96 66.666.6.97 interface admin-dmz
dhcpd enable admin-dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.87.233.53 source outside
webvpn
username user5 password Xl5915GPBhncsPAQ encrypted
username user3 password mAVJxjP/lM8yc59F encrypted
username user4 password w7V/UFyrOwnQknqm encrypted
username user2 password .NJvJ7zi.ROsatP7 encrypted
username user1 password OZCdJRBWiCmcaFZ. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b8135c36da331e34243baa55a8fe8c5a
: end
no asdm history enable
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


bigsy

join:2001-07-18
ireland
kudos:1

2 edits

Anav See Profile, I'm getting a headache reading that...

However, you need to apply an access list to an interface. The general format of what you want to achieve is access-group ACL_IN in interface outside.

Look at the examples at »www.cisco.com/en/US/docs/securit···p1088493 for a basic idea. Look at the last line of each example.

There are also lots of configuration examples at »www.cisco.com/en/US/products/ps6···ist.html, including for allowing RDP. Just make sure anything you try is valid for ASA v8.3 and higher as some things, particularly NAT, changed with this.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

2 edits

Click for full size
Your getting a headache from that, I would have rather suspected reading those configs would have given you a woody!! And you call yourself a real cisco man lol....

I actually quite enjoy using them as a reference.

I will investigate the ACLs as you suggest. Remember there are implicit ACLs that do not show on the run config. They include two that allow all traffic from a higher security interface to a lower security interface as a default. Thus all inside traffic main-lan and admin-dmz are permitted out to the internet. THis is followed in order by a global rule that basically says everything else is denied. What I have done is poke holes through the firewall for particular users on the net inbound to the private server on the particular services. THus combining with the NAT rules created.
After the ACL rules are applied the traffic gets appropriately translated and sent to the private server LANIP.

What is interesting is that with ACLs applied first is that I am surprised internet access worked on the mainlan and dmz. I expected traffic to reach the net (higher to lower security) but am surprised that return traffic (NO ACL RULE IN PLACE to allow) was permitted. Unless xlate tables are compared for ACL rules not just NAT rules (as nat rules are done second at an interface). CISCO order is wrong LOL. They should change their nat flow again.

ANother point of discussion is required. On my zyxel I need to make a firewall rule (ACL) to allow external access to the router as the admin to program it (ex https) - typically this is a WAN to Zywall rule or sometimes a Wan to Wan rule (depending on model) for 443 for example. I do not know what the equivalent is on cisco so that is why I created the last two rules you see..
access-list Remote-Router-Admin extended permit object RouterAdmin object rm-remote any
access-list Remote-Router-Admin extended permit object RouterAdmin object TrustedInternetUsers any

Its a catch all, I dont know what real IP this is supposed to hit so I say any.

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit

Reading the ACL portion I still see nothing wrong with what Ive done and disagree with your assertion that I need an acl for an interface....

Snippets.......

Applies to global implicit rule.
You can configure global access rules in conjunction with interface access rules, in which case, the specific interface access rules are always processed before the general global access rules.

Hence the implicit global rule does not impinge upon the other implicit rules, nor the specific interface rules I created.

My question on return traffic.......
Access Rules for Returning Traffic

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectional connections


For my question on needing acl for router managment..
Note To access the ASA interface for management access, you do not also need an access list allowing the host IP address. You only need to configure management access according to Chapter 37 "Configuring Management Access."
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

2 edits

Okay after reading this..............

Note To allow any traffic to enter the ASA, you must attach an inbound access rule to an interface; otherwise, the ASA automatically drops all traffic that enters that interface.

and looking at my extended rules, none of them are attached to an interface. I just have to figure how to do that. When I first created nat rules I did them manually and ended up doing nat twice and then reverted to EMBEDDED NAT within network objects. I am getting the sneaky suspicion that I am going to have to revert to EMBEDDED ACL within network objects LOL.

Now I just looked at the ACE rules via the ASDM and there is no where to indicate Interface AND external user.

Since NAT does not delineate who the external user is either nor does any other port forwarding process I have used...

This could lead me to conclude that I need to make two sets of ACLS. One to indicate which interface to allow traffic to come into, and then another set (already done) to identify which users are allowed ??????

Very confusing. As you can tell I dont give a crap about this lousy nomenclature but care about the logic and concepts. If I understand those (and its my level of knowledge thats lacking) this would be much easier.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to Anav

Okay, I followed my nose and made for each ACL rule, an additional interface extended rule in the ASDM and I think the result is splendiforous...... what sayest thou???

access-list TFS-FWrule extended permit object TFS interface outside object VS-pcIP
access-list TFS-FWrule extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list TFS-FWrule extended permit object TFS object Corporate-user object VS-pcIP
access-list OM-FWrule extended permit object-group OMServiceGroup interface outside object VS-pcIP
access-list OM-FWrule extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list RDP-FWrule extended permit object RDP interface outside object VS-pcIP
access-list RDP-FWrule extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list Corporate-OMFWrule extended permit object-group CorporateServiceGroup interface outside object VS-pcIP
access-list Corporate-OMFWrule extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


bigsy

join:2001-07-18
ireland
kudos:1
reply to Anav

said by Anav:

Note To allow any traffic to enter the ASA, you must attach an inbound access rule to an interface; otherwise, the ASA automatically drops all traffic that enters that interface.

and looking at my extended rules, none of them are attached to an interface.

That was pointed out above, with links to examples in official Cisco documentation, but you chose to disagree with this.

bigsy

join:2001-07-18
ireland
kudos:1
reply to Anav

said by Anav:

...... what sayest thou???

Good luck.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Reading it is one thing, understanding it is another.

I am used to zyxel rules, where you delineate both interfaces at the start

IE WAN TO LAN RULES (so in effect stating this rule applies to traffic coming from the the external interface going to the internal interface (inside). Then you state which sources, which destination on the inside interface and which services.

On the acl manager in ASDM, there is no such initial step. One just starts by naming a rule and then adding ACEs. So I added the external users and the destination and the services.

Until your suggestion and the readings pointed out that I indeed was clearly at least missing the outside interface (and as well the inside interface but seems not needed if idenfitying the private real IP).

So, I had to figure out how to add an interface connection via the ASDM. I think this has been done.

I am assuming the new rules I posted are in the correct format??

And I do owe you much thanks for your help.

Cheers!
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to Anav

MY ACL rules did NOT work. :-( Apparently specifying the outside interface as a source was not the gotcha. I enabled a global implicity allow rule for any IP and had immediate success. Which means that:
a. Nat rules are good.
b. ACL rules still lacking in definition somewhere. but where???????



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit
reply to Anav

Okay after much angst, I noticed I was missing an access-group rule pertaining to the outside interface. This is nowhere to be seen in the ACL manager in ASDM. (CLI command insert would have been too easy).
Well its in the Access Rules by attaching a rule to the default outbound object sitting there. LIke I was supposed to figure that out from rule examples (not discussed in any and I mean ANY cisco doc or googled search).

I thought I understood this conceptually. To apply access rules to the outside interface you have to open up the firewall interface as so much as its in a closed position. You apply this access-group rule to open the door. Then the router will allow traffic BUT only according to the rules you have stipulated for the outbound interface. At least thats what I am hoping. I would hate to think its wide open now.
What bothers me is that by invoking this rule access-group it created another rule IP any any allowed..as per below.

IS this finally the correct ACL structure????

access-list TFS-FWrule extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list TFS-FWrule extended permit object TFS object Corporate-user object VS-pcIP
access-list OM-FWrule extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list RDP-FWrule extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list Corporate-OMFWrule extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
access-list outside_access_in extended permit ip any any

access-group outside_access_in in interface outside

The bolded text is what invoking a global outside access rule created (unexpectedly) along with the expected access group rule in italics.

I am also starting to think that using the ACL manager might havebeen a waste of time and I should make all rules in the Access Rules section.

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Bingo (I am also starting to think that using the ACL manager might havebeen a waste of time and I should make all rules in the Access Rules section.).

I deleted all and made rules only from ACCESS RULE menu and NOT from the ACL manager. I am surmizing the manager should NOT be used to make new ones, just to modify existing ones (parameters).

A case of smart CLI people here but not savvy in ADSM. :-P

Here is my latest and last, so confident am I Yoda!!
(i added a deny all as last rule)

access-list outside_access_in remark Access to VS-TFS
access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
access-list outside_access_in remark Access to Open Meetings
access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
access-list outside_access_in remark remote access to VS
access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended deny ip any any

access-group outside_access_in in interface outside
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit
reply to Anav

No joy. :-(
I even removed the last any any deny rule and still no luck.
Any ideas??

I added

access-list main-lan_access_in extended permit ip any any
and its associated.....
access-group main-lan_access_in in interface main-lan

and still no joy. :-(



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

The only way it works is if Put in a Global access rule before the implicit deny one that states permit any to any.........


HELLFIRE
Premium
join:2009-11-25
kudos:15
reply to Anav

You do realize Cisco, while all powerful, never developed most of its stuff inhouse, and just bought
the companies that first developed them, right Anav?

Also should've warned you While ACLs can do object groups, by NO means is ASA config object-oriented,
which is what I think you're trying to do with your object groups -- again, ASA never really had that
feature, so don't carry it over from Zyxel.

Glad you finally figured out ACL rules... basically what I told you in the other thread.

Can you repost your updated config again... I need to take another look at your object groupings
and syntax.

Regards


phardacre

join:2004-01-19
UK
reply to Anav

Anav,

Have been following your threads.. Thought I'd jump in and post some of my config from home that is working.. I'm also using ASA 8.4 on a 5505. Pretty sure I set mine up through ASDM so I'm not 100% sure whether the service objects are actually needed or not. Note - this is just an extract and not the whole config, there's a lot more on that outside-acl.


object network obj-WebServer
host 192.168.101.x

object service obj-tcp-source-eq-80
service tcp source eq www
object service obj-tcp-source-eq-22
service tcp source eq ssh
object service obj-tcp-source-eq-xxxx
service tcp source eq xxxx
object service obj-tcp-source-eq-1723
service tcp source eq pptp

access-list outside-acl extended permit tcp any host 192.168.101.x eq www
access-list outside-acl extended permit tcp any host 192.168.101.x eq ssh
access-list outside-acl extended permit tcp any host 192.168.101.x eq pptp
access-list outside-acl extended permit gre any host 192.168.101.x

object network obj-WebServer
nat (inside,outside) static interface service tcp www www
object network obj-MacMiniSSH
nat (inside,outside) static interface service tcp ssh xxxx
object network obj-MacMiniPPTP
nat (inside,outside) static interface service tcp pptp pptp

access-group outside-acl in interface outside


Hopefully, that's of some use to you! This reminds me, I need to get rid of that PPTP VPN now I've got AnyConnect up and running.. :)



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to Anav

Will try to post a config later today. Your config looks very similair to mine except I use more objects predefined. What bugs me is if I put in a global implicit permit rule just before the global implicit deny rule, it all works. This tells me my natting is correct and the acls are not working ??



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit
reply to Anav

Not at the unit right now but I have a saved copy........
The only thing Ihave not been able to figure out is why in ADSM, it creates three network objects that are not used anywhere one of them is the outside network
ab.abc.def.224 with netmask of 255.255.255.248
(now .224 is neither my IP nor the IP gateway).
I will reiterate by putting an implicit permit any global IP rule before the implicit deny any global ip rule, my private servers become available.

The last major changes made have been
(1)to embed NAT rules within objects (and thus even though I created an object of the private server VS-ipPC, I have created many more with the same host IP but they are embedded nat objects with different names.
(2) Second delete all ACL manager created rules (no interface connection doing it this wrong way) and recreate them from ACCESS RULES menu selection.

: Saved
:
ASA Version 8.4(3)
!
hostname zyxelbeatsbattlestargalacticaandCisco
enable password SrnWJ82Q9IsDq97j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
no forward interface Vlan12
nameif main-lan
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ab.abc.def.230 255.255.255.248
!
interface Vlan12
nameif admin-dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
same-security-traffic permit inter-interface
object network obj_any_main-lan
subnet 0.0.0.0 0.0.0.0
description Applied by router ---> SNAT for main lan
object network TrustedInternetUsers
subnet ab.abc.def.0 255.255.255.0
object network Corporate-user
host 555.555.555.98
description Corporate Ojbect for access to TFS, OM
object network -remote-h
subnet 11.111.0.0 255.255.0.0
object network -remote-w
subnet 22.222.222.0 255.255.255.0
object network -remote2
host 33.3.333.4
object network -remote1
host 444.44.444.133
object network ISP-GatewayIP
host ab.abc.def.225
object network VS-pcIP
host 192.168.24.34
object network obj_any-admin-dmz
subnet 0.0.0.0 0.0.0.0
description Used to apply SNAT for DMZ (internet access)
object service input-port
service tcp source eq www destination eq www
object service OM1
service tcp source eq 5080 destination eq 5080
object service OM2
service tcp source eq 8088 destination eq 8088
object service OM3
service tcp source eq https destination eq https
object service TFS
service tcp source eq 8080 destination eq 8080
object service RDP
service tcp source eq 3389 destination eq 3389
object service RouterAdmin
service tcp source eq 33349 destination eq 33349
object network NAT4OM3
host 192.168.24.34
object network NAT4OM1
host 192.168.24.34
object network NAT4OM2
host 192.168.24.34
object network NAT4RDP
host 192.168.24.34
object network NAT4TFS
host 192.168.24.34
object network NAT4WWW2OM1
host 192.168.24.34
object-group network Router-Admin
description Remote access to adjust router settings
network-object object -remote1
network-object object TrustedInternetUsers
object-group network TFS-usergroup
description Agilegroup Access TFS, Open Meetings and RDP
network-object object TrustedInternetUsers
network-object object -remote-h
network-object object -remote-w
network-object object -remote1
network-object object -remote2
object-group service OMServiceGroup
service-object object OM1
service-object object OM2
service-object object OM3
object-group service CorporateServiceGroup
service-object object OM2
service-object object input-port
service-object object OM3
access-list outside_access_in remark Access to VS-TFS
access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
access-list outside_access_in remark Access to Open Meetings
access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
access-list outside_access_in remark remote access to VS
access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP
pager lines 24
logging asdm informational
mtu main-lan 1500
mtu outside 1500
mtu admin-dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 33349
http server session-timeout 60
http 192.168.2.0 255.255.255.0 admin-dmz
http 192.168.24.0 255.255.255.0 main-lan
http 444.44.444.133 255.255.255.255 outside
http ab.abc.def.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 main-lan
ssh 444.44.444.133 255.255.255.255 outside
ssh ab.abc.def.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 admin-dmz
ssh timeout 10
ssh version 2
console timeout 0

dhcpd address 192.168.24.5-192.168.24.10 main-lan
dhcpd dns 66.666.6.96 66.666.6.97 interface main-lan
dhcpd enable main-lan
!
dhcpd dns 66.666.6.96 66.666.6.97 interface outside
!
dhcpd address 192.168.2.5-192.168.2.10 admin-dmz
dhcpd dns 66.666.6.96 66.666.6.97 interface admin-dmz
dhcpd enable admin-dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.87.233.53 source outside
webvpn
username user5 password Xl5915GPBhncsPAQ encrypted
username user3 password mAVJxjP/lM8yc59F encrypted
username user4 password w7V/UFyrOwnQknqm encrypted
username user2 password .NJvJ7zi.ROsatP7 encrypted
username user1 password OZCdJRBWiCmcaFZ. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b8135c36da331e34243baa55a8fe8c5a
: end
no asdm history enable
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


phardacre

join:2004-01-19
UK

said by Anav:

object service input-port
service tcp source eq www destination eq www
object service OM1
service tcp source eq 5080 destination eq 5080
object service OM2
service tcp source eq 8088 destination eq 8088
object service OM3
service tcp source eq https destination eq https
object service TFS
service tcp source eq 8080 destination eq 8080
object service RDP
service tcp source eq 3389 destination eq 3389
object service RouterAdmin
service tcp source eq 33349 destination eq 33349

Hi Anav,

Only thing I can see different with yours is that you're specifying both the source and destination ports in your service objects.

Now, for example, the www will not match as the source and dest ports are highly unlikely to be the same as the source ports are dynamically allocated on the client.

My suggestion is to try changing to just specifying the source in the service objects and see if that works. It's a bit backwards specifying the source when you're actually talking about the destination but that's the ASA for you

Have a look at »supportforums.cisco.com/thread/2119394

Paul


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit

Comments:
(1) Probably because I am using the ADSM mode to program those and its easy to do??

(2) My natting and objects work fine because of when I open up the implicit global deny rule, it all works!! So I am surmizing its my ACLS that the hold up not nat or objects.

(3) I read through the link and......... I think this is what your pointing too........

Hello Thiago,
I am glad it worked, I have tried on my lab and the result was unsuccesful ( It did not allow me to use an object-group service on the nat) so you will need to do it one by one.


Perhaps, but not according to the manuals that indicate its clearly possible (and efficient) - see my comment (2).

Edit; Okay, there is a chance that the double port usage in the object rules are playing havoc in the ACL rules which have all groups.......... Will test when I get a chance.

Here is the CLI config guide.......
service {protocol | icmp icmp-type | icmp6
icmp6-type | {tcp | udp} [source operator
port] [destination operator port]}

Example:

hostname(config-service-object)# service
tcp source eq www destination eq ssh

From the ADSL config guide......."

Step 1 In the Configuration > Firewall > Objects > Service Object/Group pane, click Add.

Step 2 Choose Service Object from the drop-down list.

Step 3 In the name field, enter a name for the service object. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or fewer.

Step 4 From the Service Type field, choose the desired type: tcp, udp, icmp, or icmp6 protocol.

Step 5 (Optional) If you chose tcp or udp as the Service Type, enter the following:

•Destination Port/Range

•Source Port/Range—Lists the protocol source ports/ranges.

•Description—Lists the service group description.

Step 6 (Optional) If you chose icmp or icmp6 as the Service Type, enter the following:

•ICMP type—Lists the service group ICMP type.

•Description—Lists the service group description.

Step 7 If you chose protocol as the Service Type, enter the following:

•Protocol—Lists the service group protocol.

•Description—Lists the service group description.

Step 8 Click OK to save the configuration.

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


HELLFIRE
Premium
join:2009-11-25
kudos:15
reply to Anav

Think this is the guide you want to be following to correct your ACLs Anav, specifically the section on "Adding an Extended
Access List." It all goes back to what I was telling you in the other thread in that you're misordering
the elements in the ACL -- namely putting the port #s BEFORE the source and destination IP addresses.

$20 says if you put up the syslogs of test traffic hitting the ASA, you'd see no matches on any of
your ACL lines and all inbound traffic from your outside interface hitting the default deny at the
end of the ACL.

Try moving your tcp port groups to the END of the ACL like so and let us know how it goes.

access-list outside_access_in extended permit object-group TFS-usergroup object VS-pcIP object TFS
access-list outside_access_in extended permit object Corporate-user object VS-pcIP object TFS 
access-list outside_access_in extended permit object-group TFS-usergroup object VS-pcIP object-group OMServiceGroup 
access-list outside_access_in extended permit object Corporate-user object VS-pcIP object-group CorporateServiceGroup 
access-list outside_access_in extended permit object-group TFS-usergroup object VS-pcIP object RDP 
 

I'd also give phardacre's suggestion a try about not specifying source and destination ports
as well. Again, not sure if you're carrying this over from Zyxel or trying to do the "map
port x to port y on nat" but that's not how it works on ASA.

Last suggestion, and it's more best practice than anything : write yourself two ACLs, 1 for PROD and one
for Development. That way if you have to only test but do NOT want to rebuild the PROD ACL everytime
you don't have to.

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Thanks Hellfire I will give it a whirl. I am not making up the acl construction just following the bouncing ball (as with objects) and it would not surprize me to find out im filling out too much info.
I thought I saw some acl rules like mine with groups but obviously Im fried on reading cisco config docs, example docs, tech docs, example videos and numerous forums.


HELLFIRE
Premium
join:2009-11-25
kudos:15
reply to Anav

said by Anav:

... but obviously Im fried on reading cisco config docs, example docs, tech docs, example videos and numerous forums.

If you weren't, it wouldn't be a learning experience now, would it

Regards