ASA5505 outside implicit rule

Answered Question
Nov 15th, 2007
User Badges:

I can't seem to get incoming traffic pass the implicit outside rule.

I've configured the below static route and access-list which I hope means anything source tcp address can get through the outside interface on port 1997 only and the static NAT sends the traffic to an IP in the DMZ zone.

static (dmz,outside) netmask

access-list outside_access_in extended permit tcp any host eq 1997

access-group outside_access_in in interface outside

However I can't seem to get through. When I run packet filter it gets stopped by the outside implicit deny all rule.

Logging shows the below:-

%ASA-7-710005: TCP request discarded from to outside:

And as you can see from my access-list, my explicit configured rules are getting zero hit counts as all seems to be getting caught by the implicit deny rule.

mipsasa01# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_access_in; 1 elements

access-list outside_access_in line 1 extended permit tcp any host eq 1997 (hitcnt=0) 0xdea97d0

Why is all outside traffic hitting the explicit deny rule instead of my explicit permit rule.

In despair I changed my access rule to permit all tcp traffic on all ports and it still didn't get through.

Packetnet dropped the packet with the implicit deny rule and logging showed the discarded message.

Any ideas at all would be appreciated.

Correct Answer by acomiskey about 9 years 6 months ago

Is the outside interface ip address? If so try this...

static (dmz,outside) interface netmask

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Correct Answer
acomiskey Fri, 11/16/2007 - 06:01
User Badges:
  • Green, 3000 points or more

Is the outside interface ip address? If so try this...

static (dmz,outside) interface netmask

starkhorn Sat, 11/17/2007 - 21:46
User Badges:

Thanks for that. Yeah is the outside interface address. I've tried the above and I still get the same message when I do show log. There must be something fairly obvious that I'm doing incorrectly.

Would the entire config of my ASA help?

starkhorn Sun, 11/18/2007 - 13:34
User Badges:

Ok I stand corrected. I used the ASDM GUI and changed to use interface instead of it didn't work.

I then tried it again but this time I used the CLI and now it works. I can only think that I forgot to press APPLY when using the GUI.

Anyway how it gets through with no problems. I don't get it though. is the interface ip address so shouldn't that have worked?

Thanks for your help.

ajagadee Sun, 11/18/2007 - 14:00
User Badges:
  • Cisco Employee,

It is a feature in pix that you have to use the interface keyword when configuring Static if you want the traffic to hit the outside IP and get translated.

You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of a PIX Firewall interface in a static PAT entry

Please refer the below URL for details.

Let me know if it helps.



starkhorn Sun, 11/18/2007 - 14:05
User Badges:

Thanks Arul, that clearly explains it. Many thanks.


This Discussion