This topic is to discuss the following lesson:
hello Rene, a question about ACL
if I read an acl written in this way:
access-list 100 permit ip host 18.104.22.168 any…
the keyword “any” means :
" permit any packet from address 22.214.171.124 to any others address if configured , in this router, more 255.255.255.255 and more all mulsticast address? (126.96.36.199 for rip for example)
188.8.131.52 is for example the adjacent router on my fa 0/0…( and so I have to configure acl in inboud)
An extended access-list always looks like this:
The source and destination port is optional. For your example it will be:
protocol = ip
source address = 184.108.40.206 (host means using subnetmask 255.255.255.255)
source port = not specified
destination address = any
destination port = not specified
“any” really means any IP address so it’ll match on destination address 0.0.0.0 - 255.255.255.255.
When the router receives an IP packet on an interface that has an access-list then it will look for a match.
ok ok… i was a little confuse …because I was reading …“troubleshooting ip routing protocol”:
in one page it explains that if in one router is configured Rip (1o2) and its neighbor has on interface face on it an ACL writted in that way…We have to pay attention that broadcast address o multicast address are permitted…
Another thing: the difference between the keyword TCP/UDP… and IP in extended ACL:: if its writted permit/deny TCp oUDP … the router match the application specified by eq keyword, right??
And IP match all application that use TCP,UdP plus per example icmp,eigrp…ecc…(all that "application that encapsulate directly in IP, like eigrp, icmp for example…right??
Each access-list has an “invisible” deny any at the bottom so if you don’t create some permit statements, traffic will be dropped by default.
For example, RIPv2 uses multicast address 220.127.116.11. If you don’t permit this in an access-list then it will be dropped.
You are correct about IP / TCP / UDP. When you select IP then optionally you can match on some things in the IP header (DSCP, fragments, TTL, etc). When you select TCP or UDP then you select the port numbers.
hello…thank you…now I understand well
I do have a question. how do you create an access list with 10 or 15 ports blocking in one command line instead of creating access list for each port number ?I had a job interview the other day and it was one of the questions they asked me .
Sure this can be done with object groups:
hi renee ; thanks for the respond for object group .I have another question from this access list example above you mention.in the global access list example be love ;
ASA1(config)# access-list SMTP extended permit tcp host 192.168.3.3 eq 25 any
I couldn’t get this access list statement since you put the "any " after specifying the port number .can you please explain it for me ?
In the extended access-list you can match things like this:
So in that example, we use:
protocol = tcp
source ip = 192.168.3.3
source port = 25
destination ip = any
port = any
I am confused about the section “Permit Traffic to DMZ”
How were you able to telnet the interface on the DMZ router,192.168.3.3, from the outside, R2? I think you should telnet the NATTED IP instead.
I had a default route on R2 pointing to the ASA.
I have that too, R2 points to the ASA, but the lab did not work for me. I think it is a static NAT issue because the ASA drops the packet due to rpf-check. Here is a packet tracer from the ASA
ciscoasa# packet-tracer input OUTSIDE tcp 192.168.2.2 23 192.168.3.3 23 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 192.168.3.0 255.255.255.0 DMZ Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group OUTSIDE_INBOUND in interface OUTSIDE access-list OUTSIDE_INBOUND extended permit tcp any host 192.168.3.3 eq telnet Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: NAT Subtype: rpf-check Result: DROP Config: object network WEB_SERVER nat (DMZ,OUTSIDE) static 192.168.2.200 Additional Information: Result: input-interface: OUTSIDE input-status: up input-line-status: up output-interface: DMZ output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
That makes sense In my example I didn’t have NAT configured…just the IP addresses and security levels on the ASA, that’s it.
perfect, thank you!!
Hi Rene !
Dont you need nat , when you are using accesslist all security level will diminish ? or am i wrong ?
If this was a real network with Internet connectivity and public/private addresses then yes, you would need NAT. In this example however it’s just an ASA with three interfaces. Nothing has to be translated.
What’s the order on a given INT -Is this ACL evaluated first and then NAT is applied.
ASA1(config)# access-group OUTSIDE_INBOUND in interface OUTSIDE– Referencing to this line what operation is performed first NAT OR ACL and
if it is NAT then this change the source IP to given public IP and overriding the ACL condition which defines what host/subnet to be permitted or denied source IP.
-Thanks in advance
Here’s a good document from Cisco that explains the “order of operation” for the ASA:
The packet tracer tool on the ASA is also great to answer this question. For example:
ASA# packet-tracer input INSIDE tcp 192.168.1.1 50001 18.104.22.168 80
This will show us the packet flow for a host that is using IP address 192.168.1.1 and who wants to connect to TCP port 80 on 22.214.171.124. Here’s the result:
Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.10.10.1 using egress ifc OUTSIDE Phase: 3 Type: NAT Subtype: Result: ALLOW Config: object network INSIDE nat (INSIDE,OUTSIDE) dynamic interface Additional Information: Dynamic translate 192.168.1.1/50001 to 10.10.10.254/50001 Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: SFR Subtype: Result: ALLOW Config: class-map SFR match access-list SFR_REDIRECT policy-map global_policy class SFR sfr fail-open service-policy global_policy global Additional Information: Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 1017213, packet dispatched to next module
You can see that the access-list is checked BEFORE NAT is applied. If your packet doesn’t match the access-list then it will be dropped before NAT translation occurs.
Hope this helps.
I have a basic question as am just getting to know about ASA firewalls. Doesn’t Standard and named access-lists work on ASA? I haven’t been able to see that configuration.