ASA 5540 ver 7.2(2) and configuration help

Unanswered Question

would you recommend to have this line in the access-list applied to the outside interface inbound:

access-list outside_access_in permit tcp any 80 x.x.x.x any

where x.x.x.x is my global address (ip addresses of my internal devices will be translated to x.x.x.x when they go to the internet)

I understand that the ASA will automatically allow the returned traffic from connection requests initiated from the inside to outside, but I see returned traffic from outside web servers port 80 going back are denied.

Thank you very much for your help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 03/01/2007 - 19:37

Not recommended and not needed. Post up a log of the denied traffic.

suschoud Fri, 03/02/2007 - 07:00

Hi,

when the ocnneciton is initiated from the inside,the return traffic comes in automatically.we do not need any access-list on outside interface to permit the return traffic.

if the conneciton is initiated from outside,then we need a static statement for the translation and an access-list on outside interface which could permit the traffic.the access-list which you have specified is any incorrect as the correct statement is : access-list outside_access_in permit tcp any host x.x.x.x eq 80

The connection initiated on the outside will have a random source port and 80 as the destinstion port ( if it's a http request ).So,specfiying 80 as the source port in the access-list will not work.

do u have the syslogs pertaining to the connection which is initiated from the inside and the return traffic being denied .is it denied because of an access-list or does it say " deny tco no conneciton from a.b.c.d to x.x.x.x ( no exisiting translation )..please clarify.

Actions

This Discussion