Traffic allowed by acl being dropped on ASA5510 7.2(1)

Unanswered Question
Feb 8th, 2007

Traffic allowed by acl is being denied, with the source port showing what the dest port should be.

Here is the relevant acl line:

access-list acl-cpt line 17 extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.2 eq smtp (hitcnt=2)

Here is the error:

%ASA-4-106023: Deny tcp src cpt:192.29.152.107/25 dst pgpserv:192.168.52.2/32819 by access-group "acl-cpt"

The /25 should be on the destination, 192.168.52.2, but is showing up on the source.

This acl worked in our PIX 6.2(4), but this error is occurring on this ASA device.

We have multiple instances of this problem occurring. I have tried deleting and re-applying the access-group, and I thought it fixed the problem, but it did not.

If you have any ideas, please let me know. Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 02/08/2007 - 17:41

Is it possible you have your security levels reversed or something? I dont think the asa would lie. Looking at your previous post it appears that your Eth0 is outside but your default route is Eth1 inside? Maybe a small topology and config would help.

daviddtran Thu, 02/08/2007 - 17:54

It does not matter if the default route is

eth1 inside, as long as he has static routes

for the eth0 outside interface. Look to me like

this a bug in this code.

acomiskey Thu, 02/08/2007 - 18:11

I wasn't saying that was a problem, just throwing ideas out there with limited knowledge of the problem and no config. Almost look like traffic is going out around the asa, then the return traffic is hitting outside of asa, that would explain the source port of 25.

Fernando_Meza Thu, 02/08/2007 - 19:48

hi .. what happend if you start a manual telnet on port 25 i.e from 192.29.152.X PC start a telnet 192.168.52.2 25

calterio Fri, 02/09/2007 - 08:25

Here are the relevant parts of the config. I do not have any statics defined. Shouldn't the nat exemption take care of that? Thanks for all your help, folks. I'm just trying to retrofit all the commands from the PIX 6.2(4) over to the ASA 7.2(1) and maybe it isn't that simple.

Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)

Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

This platform has an ASA 5510 Security Plus license.

ASA Version 7.2(1)

interface Ethernet0/0

speed 100

duplex full

nameif pgpserv

security-level 0

ip address 192.168.52.1 255.255.255.0

!

interface Ethernet0/1

speed 100

duplex full

nameif cpt

security-level 90

ip address 172.16.250.7 255.255.255.0

!

access-list matchall extended permit ip any any

access-list acl-pgpserv extended permit tcp host 192.168.52.2 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.3 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.4 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.5 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended deny ip any any

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.2 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.3 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.4 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.5 eq smtp

access-list acl-cpt extended deny ip any any

mtu pgpserv 1500

mtu cpt 1500

arp timeout 14400

nat (cpt) 0 access-list matchall

access-group acl-pgpserv in interface pgpserv

access-group acl-cpt in interface cpt

route cpt 0.0.0.0 0.0.0.0 172.16.250.2 1

calterio Fri, 02/09/2007 - 10:28

Well, I can't explain it, and I don't want to leave this in place, but I added an acl line to acl-cpt, just before the deny line:

access-list acl-cpt line 54 extended permit tcp 192.29.152.0 255.255.255.0 eq smtp host 192.168.52.2 (hitcnt=0)

The "sh access-list" does not indicate any hits on this line, but the hitcnt on the other acl line for dest port 25 is now incrementing, and I don't see any drops. This makes no sense. Does anyone have any ideas?

tmarlow Sun, 02/18/2007 - 14:09

I can't explain why the new ACE doesn't increment you number count, but you can see why it doesn't work without it. Your ACL on the CPT interface is only allowing traffic back to the PGPSERV interface that has a destination port of 25. Obviously the return traffic is to port 32819 which was the source port of the device originating the request on the 192.168.52.x network.

It works with the added ACE because you are finally allowing traffic back through the CPT interface that is going to all TCP ports other than just 25.

calterio Mon, 02/19/2007 - 10:43

So why did it work with the PIX 6.2(4)? With a stateful firewall, if smtp (dest port 25) is allowed from point A to point B, the return traffic should be allowed, it should not require explicit permit in the ACL.

Actions

This Discussion