dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5901
share rss forum feed


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Anav

Re: [HELP] NAT vs Route vs ACL -ASA5505

The only way it works is if Put in a Global access rule before the implicit deny one that states permit any to any.........

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Anav
You do realize Cisco, while all powerful, never developed most of its stuff inhouse, and just bought
the companies that first developed them, right Anav?

Also should've warned you While ACLs can do object groups, by NO means is ASA config object-oriented,
which is what I think you're trying to do with your object groups -- again, ASA never really had that
feature, so don't carry it over from Zyxel.

Glad you finally figured out ACL rules... basically what I told you in the other thread.

Can you repost your updated config again... I need to take another look at your object groupings
and syntax.

Regards

phardacre

join:2004-01-19
UK
reply to Anav
Anav,

Have been following your threads.. Thought I'd jump in and post some of my config from home that is working.. I'm also using ASA 8.4 on a 5505. Pretty sure I set mine up through ASDM so I'm not 100% sure whether the service objects are actually needed or not. Note - this is just an extract and not the whole config, there's a lot more on that outside-acl.


object network obj-WebServer
host 192.168.101.x

object service obj-tcp-source-eq-80
service tcp source eq www
object service obj-tcp-source-eq-22
service tcp source eq ssh
object service obj-tcp-source-eq-xxxx
service tcp source eq xxxx
object service obj-tcp-source-eq-1723
service tcp source eq pptp

access-list outside-acl extended permit tcp any host 192.168.101.x eq www
access-list outside-acl extended permit tcp any host 192.168.101.x eq ssh
access-list outside-acl extended permit tcp any host 192.168.101.x eq pptp
access-list outside-acl extended permit gre any host 192.168.101.x

object network obj-WebServer
nat (inside,outside) static interface service tcp www www
object network obj-MacMiniSSH
nat (inside,outside) static interface service tcp ssh xxxx
object network obj-MacMiniPPTP
nat (inside,outside) static interface service tcp pptp pptp

access-group outside-acl in interface outside


Hopefully, that's of some use to you! This reminds me, I need to get rid of that PPTP VPN now I've got AnyConnect up and running.. :)


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Anav
Will try to post a config later today. Your config looks very similair to mine except I use more objects predefined. What bugs me is if I put in a global implicit permit rule just before the global implicit deny rule, it all works. This tells me my natting is correct and the acls are not working ??


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit
reply to Anav
Not at the unit right now but I have a saved copy........
The only thing Ihave not been able to figure out is why in ADSM, it creates three network objects that are not used anywhere one of them is the outside network
ab.abc.def.224 with netmask of 255.255.255.248
(now .224 is neither my IP nor the IP gateway).
I will reiterate by putting an implicit permit any global IP rule before the implicit deny any global ip rule, my private servers become available.

The last major changes made have been
(1)to embed NAT rules within objects (and thus even though I created an object of the private server VS-ipPC, I have created many more with the same host IP but they are embedded nat objects with different names.
(2) Second delete all ACL manager created rules (no interface connection doing it this wrong way) and recreate them from ACCESS RULES menu selection.

: Saved
:
ASA Version 8.4(3)
!
hostname zyxelbeatsbattlestargalacticaandCisco
enable password SrnWJ82Q9IsDq97j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
no forward interface Vlan12
nameif main-lan
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ab.abc.def.230 255.255.255.248
!
interface Vlan12
nameif admin-dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
same-security-traffic permit inter-interface
object network obj_any_main-lan
subnet 0.0.0.0 0.0.0.0
description Applied by router ---> SNAT for main lan
object network TrustedInternetUsers
subnet ab.abc.def.0 255.255.255.0
object network Corporate-user
host 555.555.555.98
description Corporate Ojbect for access to TFS, OM
object network -remote-h
subnet 11.111.0.0 255.255.0.0
object network -remote-w
subnet 22.222.222.0 255.255.255.0
object network -remote2
host 33.3.333.4
object network -remote1
host 444.44.444.133
object network ISP-GatewayIP
host ab.abc.def.225
object network VS-pcIP
host 192.168.24.34
object network obj_any-admin-dmz
subnet 0.0.0.0 0.0.0.0
description Used to apply SNAT for DMZ (internet access)
object service input-port
service tcp source eq www destination eq www
object service OM1
service tcp source eq 5080 destination eq 5080
object service OM2
service tcp source eq 8088 destination eq 8088
object service OM3
service tcp source eq https destination eq https
object service TFS
service tcp source eq 8080 destination eq 8080
object service RDP
service tcp source eq 3389 destination eq 3389
object service RouterAdmin
service tcp source eq 33349 destination eq 33349
object network NAT4OM3
host 192.168.24.34
object network NAT4OM1
host 192.168.24.34
object network NAT4OM2
host 192.168.24.34
object network NAT4RDP
host 192.168.24.34
object network NAT4TFS
host 192.168.24.34
object network NAT4WWW2OM1
host 192.168.24.34
object-group network Router-Admin
description Remote access to adjust router settings
network-object object -remote1
network-object object TrustedInternetUsers
object-group network TFS-usergroup
description Agilegroup Access TFS, Open Meetings and RDP
network-object object TrustedInternetUsers
network-object object -remote-h
network-object object -remote-w
network-object object -remote1
network-object object -remote2
object-group service OMServiceGroup
service-object object OM1
service-object object OM2
service-object object OM3
object-group service CorporateServiceGroup
service-object object OM2
service-object object input-port
service-object object OM3
access-list outside_access_in remark Access to VS-TFS
access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
access-list outside_access_in remark Access to Open Meetings
access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
access-list outside_access_in remark remote access to VS
access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP
pager lines 24
logging asdm informational
mtu main-lan 1500
mtu outside 1500
mtu admin-dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 33349
http server session-timeout 60
http 192.168.2.0 255.255.255.0 admin-dmz
http 192.168.24.0 255.255.255.0 main-lan
http 444.44.444.133 255.255.255.255 outside
http ab.abc.def.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 main-lan
ssh 444.44.444.133 255.255.255.255 outside
ssh ab.abc.def.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 admin-dmz
ssh timeout 10
ssh version 2
console timeout 0

dhcpd address 192.168.24.5-192.168.24.10 main-lan
dhcpd dns 66.666.6.96 66.666.6.97 interface main-lan
dhcpd enable main-lan
!
dhcpd dns 66.666.6.96 66.666.6.97 interface outside
!
dhcpd address 192.168.2.5-192.168.2.10 admin-dmz
dhcpd dns 66.666.6.96 66.666.6.97 interface admin-dmz
dhcpd enable admin-dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.87.233.53 source outside
webvpn
username user5 password Xl5915GPBhncsPAQ encrypted
username user3 password mAVJxjP/lM8yc59F encrypted
username user4 password w7V/UFyrOwnQknqm encrypted
username user2 password .NJvJ7zi.ROsatP7 encrypted
username user1 password OZCdJRBWiCmcaFZ. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b8135c36da331e34243baa55a8fe8c5a
: end
no asdm history enable
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

phardacre

join:2004-01-19
UK
said by Anav:

object service input-port
service tcp source eq www destination eq www
object service OM1
service tcp source eq 5080 destination eq 5080
object service OM2
service tcp source eq 8088 destination eq 8088
object service OM3
service tcp source eq https destination eq https
object service TFS
service tcp source eq 8080 destination eq 8080
object service RDP
service tcp source eq 3389 destination eq 3389
object service RouterAdmin
service tcp source eq 33349 destination eq 33349

Hi Anav,

Only thing I can see different with yours is that you're specifying both the source and destination ports in your service objects.

Now, for example, the www will not match as the source and dest ports are highly unlikely to be the same as the source ports are dynamically allocated on the client.

My suggestion is to try changing to just specifying the source in the service objects and see if that works. It's a bit backwards specifying the source when you're actually talking about the destination but that's the ASA for you

Have a look at »supportforums.cisco.com/thread/2 ··· /2119394

Paul


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit
Comments:
(1) Probably because I am using the ADSM mode to program those and its easy to do??

(2) My natting and objects work fine because of when I open up the implicit global deny rule, it all works!! So I am surmizing its my ACLS that the hold up not nat or objects.

(3) I read through the link and......... I think this is what your pointing too........

Hello Thiago,
I am glad it worked, I have tried on my lab and the result was unsuccesful ( It did not allow me to use an object-group service on the nat) so you will need to do it one by one.


Perhaps, but not according to the manuals that indicate its clearly possible (and efficient) - see my comment (2).

Edit; Okay, there is a chance that the double port usage in the object rules are playing havoc in the ACL rules which have all groups.......... Will test when I get a chance.

Here is the CLI config guide.......
service {protocol | icmp icmp-type | icmp6
icmp6-type | {tcp | udp} [source operator
port] [destination operator port]}

Example:

hostname(config-service-object)# service
tcp source eq www destination eq ssh

From the ADSL config guide......."

Step 1 In the Configuration > Firewall > Objects > Service Object/Group pane, click Add.

Step 2 Choose Service Object from the drop-down list.

Step 3 In the name field, enter a name for the service object. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or fewer.

Step 4 From the Service Type field, choose the desired type: tcp, udp, icmp, or icmp6 protocol.

Step 5 (Optional) If you chose tcp or udp as the Service Type, enter the following:

•Destination Port/Range

•Source Port/Range—Lists the protocol source ports/ranges.

•Description—Lists the service group description.

Step 6 (Optional) If you chose icmp or icmp6 as the Service Type, enter the following:

•ICMP type—Lists the service group ICMP type.

•Description—Lists the service group description.

Step 7 If you chose protocol as the Service Type, enter the following:

•Protocol—Lists the service group protocol.

•Description—Lists the service group description.

Step 8 Click OK to save the configuration.

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Anav
Think this is the guide you want to be following to correct your ACLs Anav, specifically the section on "Adding an Extended
Access List." It all goes back to what I was telling you in the other thread in that you're misordering
the elements in the ACL -- namely putting the port #s BEFORE the source and destination IP addresses.

$20 says if you put up the syslogs of test traffic hitting the ASA, you'd see no matches on any of
your ACL lines and all inbound traffic from your outside interface hitting the default deny at the
end of the ACL.

Try moving your tcp port groups to the END of the ACL like so and let us know how it goes.

access-list outside_access_in extended permit object-group TFS-usergroup object VS-pcIP object TFS
access-list outside_access_in extended permit object Corporate-user object VS-pcIP object TFS 
access-list outside_access_in extended permit object-group TFS-usergroup object VS-pcIP object-group OMServiceGroup 
access-list outside_access_in extended permit object Corporate-user object VS-pcIP object-group CorporateServiceGroup 
access-list outside_access_in extended permit object-group TFS-usergroup object VS-pcIP object RDP 
 

I'd also give phardacre's suggestion a try about not specifying source and destination ports
as well. Again, not sure if you're carrying this over from Zyxel or trying to do the "map
port x to port y on nat" but that's not how it works on ASA.

Last suggestion, and it's more best practice than anything : write yourself two ACLs, 1 for PROD and one
for Development. That way if you have to only test but do NOT want to rebuild the PROD ACL everytime
you don't have to.

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Thanks Hellfire I will give it a whirl. I am not making up the acl construction just following the bouncing ball (as with objects) and it would not surprize me to find out im filling out too much info.
I thought I saw some acl rules like mine with groups but obviously Im fried on reading cisco config docs, example docs, tech docs, example videos and numerous forums.

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Anav
said by Anav:

... but obviously Im fried on reading cisco config docs, example docs, tech docs, example videos and numerous forums.

If you weren't, it wouldn't be a learning experience now, would it

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

2 edits
reply to Anav
Click for full size
Okay Before I tried anything I ran packet tracker with unit hooked up. GUESS WHAT... It adored m y ACLS.... ;-P
The problem is NAT.

In any case I changed all service ports from both source and destination to JUST source. (I tried just destination and the asdm config wouldnt let me something about conflict with ipv6 which made no sense to me).

Changing the ports from both source and dest to just source made NO difference on packet tracer.

Here is the latest runconfig

Saved

:

ASA Version 8.4(3)

!

hostname AgileDevelopment

enable password SrnWJ82Q9IsDq97j encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 12

!

interface Ethernet0/7

switchport access vlan 12

!

interface Vlan1

no forward interface Vlan12

nameif main-lan

security-level 100

ip address 192.168.24.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ab.abc.def.230 255.255.255.248

!

interface Vlan12

nameif admin-dmz

security-level 100

ip address 192.168.2.1 255.255.255.0

!

ftp mode passive

clock timezone AST -2

clock summer-time ADT recurring

same-security-traffic permit inter-interface

object network obj_any_main-lan

subnet 0.0.0.0 0.0.0.0

description Applied by router ---> SNAT for main lan

object network TrustedInternetUsers

subnet ab.abc.def.0 255.255.255.0

object network Corporate-user

host .98

description Corp Ojbect for access to TFS, OM

object network 3-remote-h

subnet .0.0 255.255.0.0

object network 3-remote-w

subnet .0 255.255.255.0

object network 1-remote

host .4

object network 2-remote

host .133

object network ISP-GatewayIP

host ab.abc.def.225

object network VS-pcIP

host 192.168.24.34

object network obj_any-admin-dmz

subnet 0.0.0.0 0.0.0.0

description Used to apply SNAT for DMZ (internet access)

object service input-port

service tcp source eq www

object service OM1

service tcp source eq 5080

object service OM2

service tcp source eq 8088

object service OM3

service tcp source eq https

object service TFS

service tcp source eq 8080

object service RDP

service tcp source eq 3389

object service RouterAdmin

service tcp source eq 3334

object network NAT4OM3

host 192.168.24.34

object network NAT4OM1

host 192.168.24.34

object network NAT4OM2

host 192.168.24.34

object network NAT4RDP

host 192.168.24.34

object network NAT4TFS

host 192.168.24.34

object network NAT4WWW2OM1

host 192.168.24.34

object-group network Router-Admin

description Remote access to adjust router settings

network-object object 2-remote

network-object object TrustedInternetUsers

object-group network TFS-usergroup

description dept Access TFS, Open Meetings and RDP

network-object object TrustedInternetUsers

network-object object 3-remote-h

network-object object 3-remote-w

network-object object 1-remote

network-object object 2-remote

object-group service OMServiceGroup

service-object object OM1

service-object object OM2

service-object object OM3

object-group service CorporateServiceGroup

service-object object OM2

service-object object OM3

service-object object input-port

access-list outside_access_in remark Access to VS-TFS

access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP

access-list outside_access_in remark Access to Open Meetings

access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP

access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP

access-list outside_access_in remark remote access to VS

pager lines 24

logging asdm informational

mtu main-lan 1500

mtu outside 1500

mtu admin-dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any_main-lan

nat (main-lan,outside) dynamic interface

object network obj_any-admin-dmz

nat (admin-dmz,outside) dynamic interface

object network NAT4OM3

nat (main-lan,outside) static interface service tcp https https

object network NAT4OM1

nat (main-lan,outside) static interface service tcp 5080 5080

object network NAT4OM2

nat (main-lan,outside) static interface service tcp 8088 8088

object network NAT4RDP

nat (main-lan,outside) static interface service tcp 3389 3389

object network NAT4TFS

nat (main-lan,outside) static interface service tcp 8080 8080

object network NAT4WWW2OM1

nat (main-lan,outside) static interface service tcp 5080 www

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable 3334

http server session-timeout 60

http 192.168.2.0 255.255.255.0 admin-dmz

http 192.168.24.0 255.255.255.0 main-lan

http .133 255.255.255.255 outside

http ab.abc.def.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.24.0 255.255.255.0 main-lan

ssh .133 255.255.255.255 outside

ssh ab.abc.def.0 255.255.255.0 outside

ssh 192.168.2.0 255.255.255.0 admin-dmz

ssh timeout 10

ssh version 2

console timeout 0

dhcpd address 192.168.24.5-192.168.24.10 main-lan

dhcpd dns ab.0.0.96 ab.0.0.97 interface main-lan

dhcpd enable main-lan

!

dhcpd dns ab.0.0.96 ab.0.0.97 interface outside

!

dhcpd address 192.168.2.5-192.168.2.10 admin-dmz

dhcpd dns ab.0.0.96 ab.0.0.97 interface admin-dmz

dhcpd enable admin-dmz

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 209.87.233.53 source outside

webvpn

username user5- password Xl5915GPBhncsPAQ encrypted

username user3- password mAVJxjP/lM8yc59F encrypted

username user4- password w7V/UFyrOwnQknqm encrypted

username user2- password .NJvJ7zi.ROsatP7 encrypted

username user1- password OZCdJRBWiCmcaFZ. encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9cb5b5e2fb04a7c463aa077743174534

: end

no asdm history enable


--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

phardacre

join:2004-01-19
UK
Anav,

You'd think from that that it was the NAT but I've seen it say that and it hasn't been. Based on the fact that when you open up the ACL completely and it works, I'd definitely say it's your ACL.

Have you tried Hellfire's suggestion of putting the port objects at the end? If I get a chance later I'll run a test on mine and see what happens.

Is there any reason you have to use the object group for the ports? Something like:
access-list access-list outside_access_in extended permit tcp object-group TFS-usergroup object VS-pcIP eq 5080
access-list access-list outside_access_in extended permit tcp object-group TFS-usergroup object VS-pcIP eq 8088
access-list access-list outside_access_in extended permit tcp object-group TFS-usergroup object VS-pcIP eq https
 

should work equally well and to my mind is much easier to read.

Paul

phardacre

join:2004-01-19
UK
Ok, just tested on my ASA, from the CLI. If you specify object or object-group as the first argument after the "permit" you cannot put anything else in the ACL. My ASA won't even accept what you've got in your ACL.

Just in case you're thinking I'm on a different version:

asa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(3)
Device Manager Version 6.4(7)


The only way I can see to do it is:

object-group service OMServiceGroup tcp
 port-object eq 5080
 port-object eq 8088
 port-object eq https
 
access-list outside_access_in extended permit tcp object-group TFS-usergroup object VS-pcIP object-group OMServiceGroup
 

In ASDM you can create that group as a "TCP Service Group"

Paul


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

2 edits
Click for full size
Click for full size
okay will try that today as well........... much thanks......
like i said, asdm fun.

Edit: Redid packet trace with correct destination. Success except REAL WORLD test FAILED. Next to try recommmendations on acl format changes.

By the way what the heck is unnat lookup in the packet tracer. It seemed to recognize (for a different packet trace test I did) the nat rule (5080 80) but did more than just lookup because at the nat rule proper after acl processing it used the nat rule (5080 5080) which is a rule intended for other users that dont have outgoing port restrictions). Very confused.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit

HELP? lol
My remark about ACLs is that if I put in an an acl that states (global implicit any any permit), just before the default deny one.. The traffic failure above gets through. So I am thinking still its an acl issue of sorts............ So off to recongifure if i can.

As you can see, through asdm its not possible. I simply put in the parameters available and the output is what I get.....^^?????

Its a rule applicable to the outside interface.
The source are the TFS users ( a group of allowed external web IPs)
The destination is the real IP (the pc with the server)
The Service is TFS, in this case a single tcp port.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit
reply to Anav
Problem solved.
Initially my service ports were both source and destination.
Upon advice I changed these all to source. (phardcar you owe me a few beers buddy lol)

Today I tried changing them all to destination. Why you ask, because when for giggles I wanted to recreate the rule I was testing in CLI - using putty, I simply modified the existing rule by using a default service (Citrex). Lo and behold for the first time I got a service rule that looked familiar.... ended with "eq citrix."

The moral, is CLI is for dummies but use it because it will help you in ASDM troubleshooting LOL.

(I then noticed all the default rules were set for destination)

I was able to change all my service ports to destination except ONE,, you guessed it the main one I was testing.
I kept getting ipv6 errors associated when trying to change it to destination. HOW WEIRD is that. So I deleted it and reinserted it.

Packet trace - good
Real test - success.
Oh and by the way, my ACL rules did not change format. They were good the whole time, it was by service ports that were effed up.

Thanks for all your patience on round one, now the simple ipsec and ssl vpn saga begins. I hope to heck remote managment works LOL.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Anav
Jeez, and I was JUST about to break out my ASA to try your config this weekend, Anav.
Wanna post up the (now working) config?

said by Anav:

The moral, is CLI is for dummies but use it because it will help you in ASDM troubleshooting LOL.

...GUI is for Windows, CLI is for *nix and Cisco

said by Anav:

Thanks for all your patience on round one

Thanks for sticking it through... so you going to kick Zyxel to the curb now? :razz:

Regards

phardacre

join:2004-01-19
UK
reply to Anav
said by Anav:

Problem solved.
Initially my service ports were both source and destination.
Upon advice I changed these all to source. (phardcar you owe me a few beers buddy lol)
...
Thanks for all your patience on round one, now the simple ipsec and ssl vpn saga begins. I hope to heck remote managment works LOL.

Haha.. If I'm ever in Canada, you're more than welcome to a few..

Personally, having more of an IOS background writing the ACLs without the objects is easier for me.. I stick to the CLI rather than ASDM.. ASDM for IPSEC is a bit easier and for editing the SSLVPN policies I'd almost recommend it..

Glad you got it sorted though. I'd be interested to see the final working config too if it's not too much trouble.

Paul


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit
reply to Anav
You guys are great, Bigsy needs a senseo of humour ;-P
Go Barcelona!!

As promised the least I can do for your help and stamina is to post the running config.

: Saved
:
ASA Version 8.4(3)
!
hostname Thanks-to-HELLFIRE-PHARDACRE
enable password SrnWJ82Q9IsDq97j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
no forward interface Vlan12
nameif main-lan
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ab.abc.def.230 255.255.255.248
!
interface Vlan12
nameif admin-dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone AST -2
clock summer-time ADT recurring
same-security-traffic permit inter-interface
object network obj_any_main-lan
subnet 0.0.0.0 0.0.0.0
description Applied by router ---> SNAT for main lan
object network TrustedInternetUsers
subnet ab.abc.def.0 255.255.255.0
object network Corporate-user
host 555.555.555.55
description corp Ojbect for access to TFS, OM
object network 3-remote-h
subnet 11.111.0.0 255.255.0.0
object network 3-remote-w
subnet 22.222.222.0 255.255.255.0
object network 1-remote
host 33.3.333.3
object network 2-remote
host 444.44.444.444
object network ISP-GatewayIP
host ab.abc.def.225
object network VS-pcIP
host 192.168.24.34
object network obj_any-admin-dmz
subnet 0.0.0.0 0.0.0.0
description Used to apply SNAT for DMZ (internet access)
object service input-port
service tcp destination eq www
object service OM1
service tcp destination eq 5080
object service OM2
service tcp destination eq 8088
object service OM3
service tcp destination eq https
object service RDP
service tcp destination eq 3389
object service RouterAdmin
service tcp destination eq 3334
object network NAT4OM3
host 192.168.24.34
object network NAT4OM1
host 192.168.24.34
object network NAT4OM2
host 192.168.24.34
object network NAT4RDP
host 192.168.24.34
object network NAT4TFS
host 192.168.24.34
object network NAT4WWW2OM1
host 192.168.24.34
object service TFS
service tcp destination eq 8080
object-group network Router-Admin
description Remote access to adjust router settings
network-object object 2-remote
network-object object TrustedInternetUsers
object-group network TFS-usergroup
description dept Access TFS, Open Meetings and RDP
network-object object TrustedInternetUsers
network-object object 3-remote-h
network-object object 3-remote-w
network-object object 1-remote
network-object object 2-remote
object-group service OMServiceGroup
service-object object OM1
service-object object OM2
service-object object OM3
object-group service CorporateServiceGroup
service-object object OM2
service-object object OM3
service-object object input-port
access-list outside_access_in remark Access to VS-TFS
access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
access-list outside_access_in remark Access to Open Meetings
access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
pager lines 24
logging enable
logging list EventsListGeneral level informational class auth
logging list EventsListGeneral level informational class config
logging list EventsListGeneral level informational class vpn
logging list EventsListGeneral level informational class webvpn
logging list EventsListGeneral level informational class ssl
logging console informational
logging monitor informational
logging asdm informational
mtu main-lan 1500
mtu outside 1500
mtu admin-dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 3334
http server session-timeout 60
http 192.168.2.0 255.255.255.0 admin-dmz
http 192.168.24.0 255.255.255.0 main-lan
http 444.444.444.44 255.255.255.255 outside
http ab.abc.def.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 main-lan
ssh 444.444.444.44 255.255.255.255 outside
ssh ab.abc.def.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 admin-dmz
ssh timeout 10
ssh version 2
console timeout 0

dhcpd address 192.168.24.5-192.168.24.10 main-lan
dhcpd dns 22.0.0.0 22.0.0.0 interface main-lan
dhcpd enable main-lan
!
dhcpd dns 22.0.0.0 22.0.0.0interface outside
!
dhcpd address 192.168.2.5-192.168.2.10 admin-dmz
dhcpd dns 22.0.0.0 22.0.0.0 interface admin-dmz
dhcpd enable admin-dmz
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.87.233.53 source outside
webvpn
username user5- password Xl5915GPBhncsPAQ encrypted
username user3- password mAVJxjP/lM8yc59F encrypted
username user4- password w7V/UFyrOwnQknqm encrypted
username user2- password .NJvJ7zi.ROsatP7 encrypted
username user1- password OZCdJRBWiCmcaFZ. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e9330d99905f31e69f15113bae6f095b
: end
no asdm history enable

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Anav
Okay two issues. I should have reported partial success.

Issue 1. Cisco Lies. ACLs are NOT performed before NAT. Or more accurately they dont mention UNNAT.

I have a port translation in nat for one set of external clients that can use port 80 at corporate but not the desired port of 5080 at the private server behind the asa 5505 (single public wanip). So I ACL ruled port 80 for them but not 5080 (no requirement right as NAT is done after ACL). WRONG EFFFING WRONG. I had no success with that server for them until this morning when I added,,,,,,,,,,,, you guessed it port 5080 to the ACL rule. Checking packet tracer an unnat process takes place before acl switching the ports the bugger.

SO the moral is the router is frigging with NAT before the ACL Rule.
IN any case I know have all servers seemingly firing on all cylinders. This is based strictly on rudimentary logging in a number of users but not much functionality. So it remains to be seen.

Issue 2. ONe particulare service port is a pain to switch from source to destination or vice versa UNLIKE all my other service ports. I do not know why and here is the error message received.
object service TFS
[ERROR] service tcp destination eq 8080
Object is used in IPv6 access-list outside_access_in. Can't change IP to IPv4.
ERROR: object (TFS) updation failed due to internal error


Now I checked in ACLS and everywhere else. I have no IPV6 anywhere. So WTF over. I was able to change the name of the service object then change the port number, which let me create a new service object which I then had to insert into the ACL rules and then could delete the now old one. Any geniuses out there that explain that one?

Issue 3. (just checking to see if anyone noticed I said 2 above LOL) The whole discussion for static nat, and service port definition. They would NOT work when I chose source and they WORK when I select destination. (they also did not work when I had both source and destination selected in service ports). So on one hand there are the xperts saying oh lads, you have to put in source, it seems backwards but please do.... and on the other hand you have two facts, one my setup works with them in destination and EVERY DEFAULT service object uses destination.

Conclusioin, too many docs, videos, blogs, discussions, forums. and only a vague sense of unease is my reward.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Anav
For point 3 Anav, the ACL syntax of ASA is as follows :

[permit /deny] [protocol] [source ip(s)] [source port(s)] [destination ip(s)] [destination port(s)]

Plus you have to remember the DIRECTION the ACL is applied (or nat, or whatever). Not sure how to
explain it better or what; I think you already know that a SENDING host would use a port greater
than 1023 in all communications, and the RECIEVER would be listening on a specific port -- eg.
TCP22/SSH for example. That rule still applies and is part of the syntax in however you construct
your config and has to be taken into account.

I'm still wrapping my mind around ASA8.3 and up -- which you've basically forced me to learn as I'm
very comfortable with ASA8.2, thank you very much -- and the changes Cisco's done to it, so alot of
this is new to me as well.

I'll see what help I can give on your points 1 and 2.

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Ahh the joys of a router company with a multiple personality disorder. Dont forget to actually answer question 3 as well. ;-P
Looking forward to you joining me "in the bed" of 8.3 !

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Anav
BTW, a link you may want to file for future reference Anav

»www.cisco.com/en/US/products/ps6 ··· ist.html

Basically it's a collection of all of the config examples Cisco keeps. I've been taking a look at the ones in particular that use 8.3 code and seeing if anything's applicable to you.

I'll see if I can squeeze a couple hours this weekend as well to lab this up... suffice to say work's nuts, and spare time is at a premium.

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to Anav
thanks hellfire, right now just need to confirm that my nat rules are working as they should. I have them as inside, outside rules but format looks closer to some outside, inside rules. So not sure If I have implemented a format for the wrong direction, or I need to change format and direction, or is good as it is.

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Anav
@Anav
Sorry to report that while the weekend came, it was NOT very relaxing, nor was it very free... so didn't
get a chance to lab up your config.

I also wanted to inquire how likely it is for you to legally get ASA code older than you're running,
preferably 8.2 if possible?

What you're wanting to do is perfectly doable, and if we can get you a working config, you just have to
load it via CLI and walk away...

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
ha, no worries hellfire. Apparently the simple object embedded nat I am using is okay for my simple needs. However twice nat or manual nat is much sexier and good for when you need access external servers or perhaps when other internal lans need access to another internal lan. Now if I get xtra energy I may dabble in twice nat but really dont have the need. Not going back thats the past not a horror I want to relive LOL.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Anav
So how likely on 8.2 ASA code?

Also have to ask, how close are you to asking your managment to ditch the ASA for a Zyxel?
If you go that route, I'll gladly take that ASA off your hands...

Regards


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Ha the unit belongs to the larger corporation and I got it free.
No sticking with its up and running, 8.2 is for losers. ADSM and 8.4 is da bomb.