cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
0
Helpful
4
Replies

ASA ACL Question

cksrealm
Level 1
Level 1

HI All, we have just bought two Cisco ASA's that I have setup in a failover pair, Having some issues with the Access Lists however.

I have created an access-list that permits any source to access a web server on the DMZ (Using NAT) However when I browse the the "real" natted address I am getting errors on the ASA saying that the request has been blocked by the implicit deny any statement, I totally understand that however why if I have created an access list that allows http traffic to the Internet address of the webserver should I be getting it, I can post config if required.

Any Idea?

4 Replies 4

acomiskey
Level 10
Level 10

post config...

gwong
Level 1
Level 1

Probably missing the static command from your config.

Try the static command:

syntax:

static (inside, DMZ) 'inside_subnet' 'inside_subnet' netmask 'subnet_mask'

example:

static (inside, DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

domain-name default.domain.invalid

enable password xxxxxxxxxxx encrypted

names

dns-guard

!

interface Ethernet0/0

description Live Internet Interface

nameif Live_Internet

security-level 0

ip address 195.167.187.230 255.255.255.224

!

interface Ethernet0/1

description Customer Network

nameif Customer_Net

security-level 10

ip address 172.17.4.2 255.255.252.0

!

interface Ethernet0/2

description Protected Network

nameif Protected_Net

security-level 100

ip address 192.9.224.2 255.255.255.0

!

interface Management0/0

description Live Network Interface

nameif Live_Net

security-level 100

ip address 192.9.230.2 255.255.255.0

!

passwd xxxxxxxxxx encrypted

banner exec Welcome to the ASA

banner login Welcome to the ASA

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service ISAKMP udp

port-object eq isakmp

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 195.167.187.224 255.255.255.224

access-list Live_Net_access_in extended permit icmp any 192.9.230.0 255.255.255.0

access-list outside_acl extended permit tcp any host 192.9.224.4 eq www

access-list Live_Internet_access_in extended permit tcp any host 195.167.187.230 eq www

pager lines 24

no asdm history enable

arp timeout 14400

global (Protected_Net) 1 192.9.224.4

static (Live_Internet,Protected_Net) 192.9.224.4 195.167.187.230 netmask 255.255.255.255

access-group Live_Internet_access_in in interface Live_Internet

timeout uauth 0:05:00 absolute

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1

default-domain value cognito.co.uk

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

http server enable

http 0.0.0.0 0.0.0.0 Live_Internet

http 192.9.200.0 255.255.255.0 Live_Net

snmp-server host Live_Net 192.9.200.185 community cognito

snmp-server location Park Royal CAB1

snmp-server contact Cognito Network Operations

snmp-server community cognito

snmp-server enable traps snmp authentication linkup linkdown coldstart

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Issue has been resolved, had issue with the natting function which I have resolved and it all working a treat

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: