02-08-2007 05:06 PM - edited 03-11-2019 02:31 AM
Traffic allowed by acl is being denied, with the source port showing what the dest port should be.
Here is the relevant acl line:
access-list acl-cpt line 17 extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.2 eq smtp (hitcnt=2)
Here is the error:
%ASA-4-106023: Deny tcp src cpt:192.29.152.107/25 dst pgpserv:192.168.52.2/32819 by access-group "acl-cpt"
The /25 should be on the destination, 192.168.52.2, but is showing up on the source.
This acl worked in our PIX 6.2(4), but this error is occurring on this ASA device.
We have multiple instances of this problem occurring. I have tried deleting and re-applying the access-group, and I thought it fixed the problem, but it did not.
If you have any ideas, please let me know. Thank you.
02-08-2007 05:41 PM
Is it possible you have your security levels reversed or something? I dont think the asa would lie. Looking at your previous post it appears that your Eth0 is outside but your default route is Eth1 inside? Maybe a small topology and config would help.
02-08-2007 05:54 PM
It does not matter if the default route is
eth1 inside, as long as he has static routes
for the eth0 outside interface. Look to me like
this a bug in this code.
02-08-2007 06:11 PM
I wasn't saying that was a problem, just throwing ideas out there with limited knowledge of the problem and no config. Almost look like traffic is going out around the asa, then the return traffic is hitting outside of asa, that would explain the source port of 25.
02-08-2007 07:48 PM
hi .. what happend if you start a manual telnet on port 25 i.e from 192.29.152.X PC start a telnet 192.168.52.2 25
02-09-2007 08:25 AM
Here are the relevant parts of the config. I do not have any statics defined. Shouldn't the nat exemption take care of that? Thanks for all your help, folks. I'm just trying to retrofit all the commands from the PIX 6.2(4) over to the ASA 7.2(1) and maybe it isn't that simple.
Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)
Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
This platform has an ASA 5510 Security Plus license.
ASA Version 7.2(1)
interface Ethernet0/0
speed 100
duplex full
nameif pgpserv
security-level 0
ip address 192.168.52.1 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif cpt
security-level 90
ip address 172.16.250.7 255.255.255.0
!
access-list matchall extended permit ip any any
access-list acl-pgpserv extended permit tcp host 192.168.52.2 192.29.152.0 255.255.255.0 eq smtp
access-list acl-pgpserv extended permit tcp host 192.168.52.3 192.29.152.0 255.255.255.0 eq smtp
access-list acl-pgpserv extended permit tcp host 192.168.52.4 192.29.152.0 255.255.255.0 eq smtp
access-list acl-pgpserv extended permit tcp host 192.168.52.5 192.29.152.0 255.255.255.0 eq smtp
access-list acl-pgpserv extended deny ip any any
access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.2 eq smtp
access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.3 eq smtp
access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.4 eq smtp
access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.5 eq smtp
access-list acl-cpt extended deny ip any any
mtu pgpserv 1500
mtu cpt 1500
arp timeout 14400
nat (cpt) 0 access-list matchall
access-group acl-pgpserv in interface pgpserv
access-group acl-cpt in interface cpt
route cpt 0.0.0.0 0.0.0.0 172.16.250.2 1
02-09-2007 10:28 AM
Well, I can't explain it, and I don't want to leave this in place, but I added an acl line to acl-cpt, just before the deny line:
access-list acl-cpt line 54 extended permit tcp 192.29.152.0 255.255.255.0 eq smtp host 192.168.52.2 (hitcnt=0)
The "sh access-list" does not indicate any hits on this line, but the hitcnt on the other acl line for dest port 25 is now incrementing, and I don't see any drops. This makes no sense. Does anyone have any ideas?
02-18-2007 02:09 PM
I can't explain why the new ACE doesn't increment you number count, but you can see why it doesn't work without it. Your ACL on the CPT interface is only allowing traffic back to the PGPSERV interface that has a destination port of 25. Obviously the return traffic is to port 32819 which was the source port of the device originating the request on the 192.168.52.x network.
It works with the added ACE because you are finally allowing traffic back through the CPT interface that is going to all TCP ports other than just 25.
02-19-2007 10:43 AM
So why did it work with the PIX 6.2(4)? With a stateful firewall, if smtp (dest port 25) is allowed from point A to point B, the return traffic should be allowed, it should not require explicit permit in the ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide