ASA 5540 ver 7.2(2) and configuration help

pxh · ‎03-01-2007

would you recommend to have this line in the access-list applied to the outside interface inbound:

access-list outside_access_in permit tcp any 80 x.x.x.x any

where x.x.x.x is my global address (ip addresses of my internal devices will be translated to x.x.x.x when they go to the internet)

I understand that the ASA will automatically allow the returned traffic from connection requests initiated from the inside to outside, but I see returned traffic from outside web servers port 80 going back are denied.

Thank you very much for your help

acomiskey · ‎03-01-2007

Not recommended and not needed. Post up a log of the denied traffic.

suschoud · ‎03-02-2007

Hi,

when the ocnneciton is initiated from the inside,the return traffic comes in automatically.we do not need any access-list on outside interface to permit the return traffic.

if the conneciton is initiated from outside,then we need a static statement for the translation and an access-list on outside interface which could permit the traffic.the access-list which you have specified is any incorrect as the correct statement is : access-list outside_access_in permit tcp any host x.x.x.x eq 80

The connection initiated on the outside will have a random source port and 80 as the destinstion port ( if it's a http request ).So,specfiying 80 as the source port in the access-list will not work.

do u have the syslogs pertaining to the connection which is initiated from the inside and the return traffic being denied .is it denied because of an access-list or does it say " deny tco no conneciton from a.b.c.d to x.x.x.x ( no exisiting translation )..please clarify.