ASA5520

Answered Question
Nov 20th, 2007

hello,

I'm having trouble with a security policy rule that is denying outbound connections. I am trying to allow outbound SSH connections to specific IP addresses. Therefore, I added a rule on the inside incoming interface that allows tcp source 192.168.0.0/24 dest ip-group tcp-service group. The ip-group consists of 3 IP addresses of servers. The TCP service group consists of tcp ports 902, 9999, ftp, ftp-data, and ssh. 902, 9999, ftp, ftp-data work fine, but the SSH does not work. I get a message in the log deny tcp src 192.168.0.x to x.x.x.x:22 on the internal access list.

I have a NAT rule for these connections, but it looks like the firewall denies it before the NAT rule takes affect.

Let me know if anyone has any suggestions. Thanks,

I have this problem too.
0 votes
Correct Answer by Collin Clark about 9 years 2 weeks ago

Is there a Deny farther up the ACL? Any hit counts on the ACL for SSH? Can you post the entire log message (minus the IPs)?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Collin Clark Tue, 11/20/2007 - 11:47

Is there a Deny farther up the ACL? Any hit counts on the ACL for SSH? Can you post the entire log message (minus the IPs)?

sweigle Tue, 11/20/2007 - 14:50

thanks, you were right, there was something farther up the ACL that was denying thanks!

Actions

This Discussion