[c-nsp] ASA bug?

Tue Jan 25 10:48:25 EST 2011

Thought I'd get some opinions before I ask Cisco…

I have an ASA5540 with several DMZ zones defined.   Several months ago a project required a new zone.  This was created,  but the project was put on hold and we created a deny any any on the outside interface into this new zone,  just to be safe.

fast forward several months later.

 project is back on the table.   I'm asked to allow http/s into the new zone.   I have a brain failure and forget that we put a 'deny any any' statement in a few months back.   We have a few hundred lines of ACLs and several DMZs,  so things can be not so clear to see when viewing the config..     appended to the bottom of the list is my new 'allow http/s' into new zone.    works fine from inside but not from the internet.

I'm wondering why..  so I define a ACL which i'll use in a capture:

access-list capacl1 extended permit ip any host x.x.x.x
access-lsit capacl1 extended permit ip host x.x.x.x any

simple enough.  host x.x.x.x is a host in the new dmz zone.

I apply it to the new dmz interface:

capture cap1 access-list capacl1 interface newdmz real-time

from an internet host I attempt a connection to port 80:

ggw at 76.65.229.23:~$  telnet x.x.x.x 80

I see the packets egress the newdmz interface:

   1: 15:55:11.839525 802.1Q vlan#560 P0 x.x.x.x.2716 > 192.168.53.19.1433: . 3365025458:3365025459(1) ack 2402449091 win 64453
   2: 15:55:11.840303 802.1Q vlan#560 P0 192.168.53.19.1433 > x.x.x.x.2716: . ack 3365025459 win 64374
   3: 15:55:12.070079 802.1Q vlan#560 P0 192.168.53.19.1433 > x.x.x.x.2716: . 2402449090:2402449091(1) ack 3365025459 win 64374
   4: 15:55:12.070202 802.1Q vlan#560 P0 x.x.x.x.2716 > 192.168.53.19.1433: . ack 2402449091 win 64453
   5: 15:55:21.180608 76.65.229.23.61388 > x.x.x.x.443: S 2533989180:2533989180(0) win 65535 <mss 1260,nop,nop,sackOK>
   6: 15:55:24.070659 76.65.229.23.61388 > x.x.x.x.443: S 2533989180:2533989180(0) win 65535 <mss 1260,nop,nop,sackOK>
   7: 15:55:30.085978 76.65.229.23.61388 > x.x.x.x.443: S 2533989180:2533989180(0) win 65535 <mss 1260,nop,nop,sackOK>

I see packets egressing the dmz interface into the dmz zone…    In my mind this is not a firewall issue as the packets are being forwarded into the zone,  as expected.

the reality is there was a "deny ip any any into newzone" applied to the outside interface.   I should not of seen these packets when running a capture on the dmz interface, correct?  this caused me to spin my wheels on this for 1/2 a day till I noticed the acl in the outside_in section…

soon as I removed the acl element from the outside_in,  things worked..

am I not understanding something here or does this look wrong?

thanks for your time,
greg

--

This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.