ASA 5505 Security Plus ignores inbound ACL's

Answered Question
Mar 3rd, 2007

I have a single static IP and currently serve http, https, & SMTP (successfully) through PAT with a PIX 501.

I've tried every combination of Outside_in ACL's, even a permit any any and incoming traffic is still blocked by ACL. The logged event is:

TCP access denied by ACL from 195.156.154.115/3359 to WAN:195.156.111.132/443

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 6 months ago

if you want to do .132 (ASA outside interface) you should do

static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255

note: elijah recommended same thing above

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
istvanbocskai Mon, 03/05/2007 - 05:39

Yes, it is applied to an interface:

"access-group WAN_access_in in interface WAN"

istvanbocskai Mon, 03/05/2007 - 05:35

Having 2 static IP, using a diffrenet one for port forwarding all works fine.

elijah.savage Tue, 03/06/2007 - 11:13

What version of IOS are you running I currently have this setup without any issues at all.

access-list 100 extended permit tcp any host X.X.X.X eq smtp

static (inside,outside) tcp interface smtp servers ip here smtp netmask 255.255.255.255

Applied to the interface

access-group 100 in interface outside

suschoud Tue, 03/06/2007 - 13:56

hi,

i guess i am saying the same thing again.

for the access from outside to inside

you need

the static:

static (inside,outside)

let's say,the internal ip address of the server is 10.0.0.2

so,the static would be :

static (inside,outside) 195.156.111.132 10.0.0.2

along with this,we need an access-list on the outside interface which permits the traffic.

access-list out_in permit tcp any host 195.156.111.132 eq http

access-list out_in permit tcp any host 195.156.111.132 eq https

access-list out_in permit tcp any host 195.156.111.132 eq smtp

Let me know if this helps.

Sushil

istvanbocskai Fri, 03/09/2007 - 09:40

hi,

I have the following commands:

access-list WAN_access_in extended permit ip any host 195.156.111.131

static (LAN,WAN) tcp 195.156.111.131 www 192.168.151.22 www netmask 255.255.255.255

access-group WAN_access_in in interface WAN

ASA has the IP 195.156.111.132.

If I have the commands with a different ip, eg 131, it works. If I use the ASA own IP, 132, I get ACL denies.

Correct Answer
acomiskey Fri, 03/09/2007 - 09:45

if you want to do .132 (ASA outside interface) you should do

static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255

note: elijah recommended same thing above

Actions

This Discussion