Cisco ASA Access-List

This topic is to discuss the following lesson:

hello Rene, a question about ACL
if I read an acl written in this way:
access-list 100 permit ip host 131.108.1.1 any…
the keyword “any” means :
" permit any packet from address 131.108.1.1 to any others address if configured , in this router, more 255.255.255.255 and more all mulsticast address? (224.0.0.9 for rip for example)
131.108.1.1 is for example the adjacent router on my fa 0/0…( and so I have to configure acl in inboud)

Hi Francesco,

An extended access-list always looks like this:

The source and destination port is optional. For your example it will be:

protocol = ip
source address = 131.108.1.1 (host means using subnetmask 255.255.255.255)
source port = not specified
destination address = any
destination port = not specified

“any” really means any IP address so it’ll match on destination address 0.0.0.0 - 255.255.255.255.

When the router receives an IP packet on an interface that has an access-list then it will look for a match.

Rene

ok ok… i was a little confuse …because I was reading …“troubleshooting ip routing protocol”:
in one page it explains that if in one router is configured Rip (1o2) and its neighbor has on interface face on it an ACL writted in that way…We have to pay attention that broadcast address o multicast address are permitted…
Another thing: the difference between the keyword TCP/UDP… and IP in extended ACL:: if its writted permit/deny TCp oUDP … the router match the application specified by eq keyword, right??
And IP match all application that use TCP,UdP plus per example icmp,eigrp…ecc…(all that "application that encapsulate directly in IP, like eigrp, icmp for example…right??

Hi Francesco,

Each access-list has an “invisible” deny any at the bottom so if you don’t create some permit statements, traffic will be dropped by default.

For example, RIPv2 uses multicast address 224.0.0.9. If you don’t permit this in an access-list then it will be dropped.

You are correct about IP / TCP / UDP. When you select IP then optionally you can match on some things in the IP header (DSCP, fragments, TTL, etc). When you select TCP or UDP then you select the port numbers.

Rene

hello…thank you…now I understand well :slight_smile:

hi renee;
I do have a question. how do you create an access list with 10 or 15 ports blocking in one command line instead of creating access list for each port number ?I had a job interview the other day and it was one of the questions they asked me .
thanks

Hi Georgi,

Sure this can be done with object groups:

Rene

hi renee ; thanks for the respond for object group .I have another question from this access list example above you mention.in the global access list example be love ;
ASA1(config)# access-list SMTP extended permit tcp host 192.168.3.3 eq 25 any
I couldn’t get this access list statement since you put the "any " after specifying the port number .can you please explain it for me ?
thanks

Hi Georgi,

In the extended access-list you can match things like this:

So in that example, we use:

protocol = tcp
source ip = 192.168.3.3
source port = 25
destination ip = any
port = any

Rene

Hi Rene,
I am confused about the section “Permit Traffic to DMZ”

How were you able to telnet the interface on the DMZ router,192.168.3.3, from the outside, R2? I think you should telnet the NATTED IP instead.

Thanks

Hi John,

I had a default route on R2 pointing to the ASA.

Rene

Hi Rene,

I have that too, R2 points to the ASA, but the lab did not work for me. I think it is a static NAT issue because the ASA drops the packet due to rpf-check. Here is a packet tracer from the ASA

ciscoasa# packet-tracer input OUTSIDE tcp 192.168.2.2 23 192.168.3.3 23

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.3.0     255.255.255.0   DMZ

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_INBOUND in interface OUTSIDE
access-list OUTSIDE_INBOUND extended permit tcp any host 192.168.3.3 eq telnet 
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network WEB_SERVER
 nat (DMZ,OUTSIDE) static 192.168.2.200
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi John,

That makes sense :slight_smile: In my example I didn’t have NAT configured…just the IP addresses and security levels on the ASA, that’s it.

Rene

perfect, thank you!!

Hi Rene !

Dont you need nat , when you are using accesslist all security level will diminish ? or am i wrong ?

Hi Oskar,

If this was a real network with Internet connectivity and public/private addresses then yes, you would need NAT. In this example however it’s just an ASA with three interfaces. Nothing has to be translated.

Rene

Hi Rene,

What’s the order on a given INT -Is this ACL evaluated first and then NAT is applied.

ASA1(config)# access-group OUTSIDE_INBOUND in interface OUTSIDE– Referencing to this line what operation is performed first NAT OR ACL and

if it is NAT then this change the source IP to given public IP and overriding the ACL condition which defines what host/subnet to be permitted or denied source IP.

-Thanks in advance

Hi Asi,

Here’s a good document from Cisco that explains the “order of operation” for the ASA:

Cisco ASA Packet Flow

The packet tracer tool on the ASA is also great to answer this question. For example:

ASA# packet-tracer input INSIDE tcp 192.168.1.1 50001 1.2.3.4 80

This will show us the packet flow for a host that is using IP address 192.168.1.1 and who wants to connect to TCP port 80 on 1.2.3.4. Here’s the result:

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.1 using egress ifc  OUTSIDE

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network INSIDE
 nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
Dynamic translate 192.168.1.1/50001 to 10.10.10.254/50001

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype: 
Result: ALLOW
Config:
class-map SFR
 match access-list SFR_REDIRECT
policy-map global_policy
 class SFR
  sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:       
Additional Information:
New flow created with id 1017213, packet dispatched to next module

You can see that the access-list is checked BEFORE NAT is applied. If your packet doesn’t match the access-list then it will be dropped before NAT translation occurs.

Hope this helps.

Rene

Hi Rene,

I have a basic question as am just getting to know about ASA firewalls. Doesn’t Standard and named access-lists work on ASA? I haven’t been able to see that configuration.

Thank you,
BV