ASA5505 outside implicit rule

Answered Question
Nov 15th, 2007
User Badges:

I can't seem to get incoming traffic pass the implicit outside rule.


I've configured the below static route and access-list which I hope means anything source tcp address can get through the outside interface on port 1997 only and the static NAT sends the traffic to an IP in the DMZ zone.


static (dmz,outside) 192.168.18.5 192.168.2.2 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 192.168.18.5 eq 1997

access-group outside_access_in in interface outside


However I can't seem to get through. When I run packet filter it gets stopped by the outside implicit deny all rule.


Logging shows the below:-


%ASA-7-710005: TCP request discarded from 192.168.18.254/3049 to outside:192.168.18.5/1997


And as you can see from my access-list, my explicit configured rules are getting zero hit counts as all seems to be getting caught by the implicit deny rule.


mipsasa01# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_access_in; 1 elements

access-list outside_access_in line 1 extended permit tcp any host 192.168.18.5 eq 1997 (hitcnt=0) 0xdea97d0


Why is all outside traffic hitting the explicit deny rule instead of my explicit permit rule.


In despair I changed my access rule to permit all tcp traffic on all ports and it still didn't get through.


Packetnet dropped the packet with the implicit deny rule and logging showed the discarded message.


Any ideas at all would be appreciated.

Correct Answer by acomiskey about 9 years 6 months ago

Is 192.168.18.5 the outside interface ip address? If so try this...


static (dmz,outside) interface 192.168.2.2 netmask 255.255.255.255


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
acomiskey Fri, 11/16/2007 - 06:01
User Badges:
  • Green, 3000 points or more

Is 192.168.18.5 the outside interface ip address? If so try this...


static (dmz,outside) interface 192.168.2.2 netmask 255.255.255.255


starkhorn Sat, 11/17/2007 - 21:46
User Badges:

Thanks for that. Yeah 192.168.18.5 is the outside interface address. I've tried the above and I still get the same message when I do show log. There must be something fairly obvious that I'm doing incorrectly.


Would the entire config of my ASA help?

starkhorn Sun, 11/18/2007 - 13:34
User Badges:

Ok I stand corrected. I used the ASDM GUI and changed to use interface instead of 192.168.18.5....and it didn't work.


I then tried it again but this time I used the CLI and now it works. I can only think that I forgot to press APPLY when using the GUI.


Anyway how it gets through with no problems. I don't get it though. 192.168.18.5 is the interface ip address so shouldn't that have worked?


Thanks for your help.

ajagadee Sun, 11/18/2007 - 14:00
User Badges:
  • Cisco Employee,

It is a feature in pix that you have to use the interface keyword when configuring Static if you want the traffic to hit the outside IP and get translated.


You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of a PIX Firewall interface in a static PAT entry


Please refer the below URL for details.


http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694


Let me know if it helps.


Regards,

Arul

starkhorn Sun, 11/18/2007 - 14:05
User Badges:

Thanks Arul, that clearly explains it. Many thanks.

Actions

This Discussion