Hi Daljeet,
Global ACL's - One of the main motivation to create global ACL feature was to minimize the number of ACL's created during checkpoint to ASA migration and to create a flow based policy. These provide interface independent policies. Global ACL's provides access control to IPv4/IPv6 traffic on all interfaces except for internal interfaces such as Loopback, identity, Internal-Control, Internal-Data, etc only in the ingress/input direction. They do not support control-plane or per-user-override features. The order of processing ACL's is given below. Order - 1. interface ACL's 2. global ACL's 3. default glabal ACL rule (deny ip any any) Interface ACL rules has a priority of 13 in the ASP table. Global ACLs has a priority of 12 in the ASP table. (Higher the value more the priority and higher priority is processed first, hence interface ACL's are processed before Global ACL entries). It is very important to understand that the "implicit" deny ip any any of the global ACL has a priority of 11 in the ASP table. This means that once a global ACL is applied, the implicit deny ip any any rule is removed from the interface rule and added to the end of the global rule automatically. Samarth Chidanand Sr Instructor / Developer - IPexpert CCIE #18535 (R&S, Security) CCSI #34585 From: Daljeet SinGH [mailto:[email protected]] Sent: Friday, April 26, 2013 10:49 AM To: Samarth Chidanand Cc: Mike Rojas; [email protected] Subject: Re: [OSL | CCIE_Security] Workbook1 Task 12 But the Q is , as mentioned, there is already inbound ACL on outside interface which will be processed 1st, ? On Fri, Apr 26, 2013 at 10:20 AM, Samarth Chidanand <[email protected]> wrote: Hi Mike, See the answer below from the DSG. It's states use global ACL's, implies more than one ACL. Task 12: Manual static identity NAT on ASA-3 * Create a loopback on R2 with an IP address of 222.222.222.222/32. Configure static identity NAT such that only outside users can ping that IP address. Use global ACLs to allow access. * Advertise the new loopback into RIPv2 on R2 and create appropriate static routes on R4 and R5. Task-12:Solutions Step 1: Configure Loopback on R2 and advertise into RIP. int lo222 ip add 222.222.222.222 255.255.255.255 router rip network 222.222.222.0 Step 2: Configure Static routes on R4 and R5. R5 ip route 222.222.222.222 255.255.255.255 100.100.35.105 R4 ip route 222.222.222.222 255.255.255.255 200.100.34.104 Step 3: Configure objects on ASA3 object network R2_Loop222 host 222.222.222.222 Step 4: Configure Manual identity NAT on ASA3 nat (dmz1,outside-1) source static R2_Loop222 R2_Loop222 nat (dmz1,outside-2) source static R2_Loop222 R2_Loop222 Step 5: Configure global ACL's access-list GLOBAL permit ip any object R2_Loop222 access-list GLOBAL permit ip object R2_Loop222 any Verification Step 1: Verify Manual NAT entries (Section-1). Entry 5 and 6 of section 1. Manual NAT Policies (Section 1) <SNIP> 5 (dmz1) to (Outside-1) source static R2_Loop222 R2_Loop222 translate_hits = 0, untranslate_hits = 0 Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32 6 (dmz1) to (Outside-2) source static R2_Loop222 R2_Loop222 translate_hits = 0, untranslate_hits = 0 Source - Origin: 222.222.222.222/32, Translated: 222.222.222.222/32 <SNIP> Step 2: Telnet from Lo222 to R4 and R5 and perform basic ping tests. R2#telnet 45.45.45.4 /source-interface lo222 Trying 45.45.45.4 ... Open R4#sh users Line User Host(s) Idle Location 0 con 0 idle 00:04:58 *514 vty 0 idle 00:00:00 222.222.222.222 Interface User Mode Idle Peer Address R4#exit [Connection to 45.45.45.4 closed by foreign host] R2#ping 4.4.4.4 so lo 222 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds: Packet sent with a source address of 222.222.222.222 !!!!! R2#ping 45.45.45.5 so lo 222 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 45.45.45.5, timeout is 2 seconds: Packet sent with a source address of 222.222.222.222 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms R2#telnet 100.100.35.5 /source-interface lo222 Trying 100.100.35.5 ... Open R5#show users Line User Host(s) Idle Location 0 con 0 idle 00:04:00 *514 vty 0 idle 00:00:00 222.222.222.222 Interface User Mode Idle Peer Address R5#ping 222.222.222.222 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 222.222.222.222, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R5#exit [Connection to 100.100.35.5 closed by foreign host] R2# From: [email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Friday, April 26, 2013 7:27 AM To: [email protected] Subject: [OSL | CCIE_Security] Workbook1 Task 12 Hi, This task says that you need to allow the traffic from the outside to the loopback 222.222.222.222/32 on R2. The problem comes when it says that I need to allow this using the Global ACL. There was already a Global ACL configured but also, there are 2 access list on ASA3 used to allow traffic inbound from outside at a previous task. The problem is that even if I allow that traffic on the global ACL, it is not going to work, as the interface ACL is processed first than the Global ACL. Is there something that I am doing wrong? Another question that comes up is that, for every object that needed to 2 NATs for both outside interfaces, I created the Object and then another object with the same host and created the NAT there. Just checking if that is correct. Finally, on a task I read, you can re-used the object for the Access list....well, I reused every Object that I could :P so I dont know if previous that task, I needed to create a new object for the ACLs. Mike. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
