03-01-2007 06:48 PM - edited 03-11-2019 02:40 AM
would you recommend to have this line in the access-list applied to the outside interface inbound:
access-list outside_access_in permit tcp any 80 x.x.x.x any
where x.x.x.x is my global address (ip addresses of my internal devices will be translated to x.x.x.x when they go to the internet)
I understand that the ASA will automatically allow the returned traffic from connection requests initiated from the inside to outside, but I see returned traffic from outside web servers port 80 going back are denied.
Thank you very much for your help
03-01-2007 07:37 PM
Not recommended and not needed. Post up a log of the denied traffic.
03-02-2007 07:00 AM
Hi,
when the ocnneciton is initiated from the inside,the return traffic comes in automatically.we do not need any access-list on outside interface to permit the return traffic.
if the conneciton is initiated from outside,then we need a static statement for the translation and an access-list on outside interface which could permit the traffic.the access-list which you have specified is any incorrect as the correct statement is : access-list outside_access_in permit tcp any host x.x.x.x eq 80
The connection initiated on the outside will have a random source port and 80 as the destinstion port ( if it's a http request ).So,specfiying 80 as the source port in the access-list will not work.
do u have the syslogs pertaining to the connection which is initiated from the inside and the return traffic being denied .is it denied because of an access-list or does it say " deny tco no conneciton from a.b.c.d to x.x.x.x ( no exisiting translation )..please clarify.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide