ASA5510 issue with creating new ACLs

Unanswered Question
Feb 26th, 2008
User Badges:

I've recently took over this new firewall to manage from another person who is no longer with the company. For some reason, when I've created a new NAT and applied a simple ACL, the ASA blocks it with the implicit deny rule.


I can't seem to understand why that would be. I've setup this type of thing many times without issues.


Anyone have any ideas?



Thanks,


Harmeet


I've attached the running config for some reference. The NAT in question is XXX.XXX.XXX.54 with the corresponding ACL, acl_out line



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
abinjola Tue, 02/26/2008 - 15:55
User Badges:
  • Cisco Employee,

add the line :-


access-list inside_access_out line 1 permit ip any host 10.1.1.201


it should work..

harmeet.ahuja Wed, 02/27/2008 - 08:33
User Badges:

Thanks. Unfortunately it didn't work.

I checked that rule in the ADSM packet tracer and it worked well, but in reality it didn't.

So I checked the packet tracer for the entry you just asked me to put in. It is being stopped by the NAT.


nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 3, untranslate_hits = 0


So, I guess I'm now out to look why the global statement for this NAT is not there.



Any suggestions?


Harmeet

abinjola Thu, 02/28/2008 - 12:19
User Badges:
  • Cisco Employee,

harmeet can you get the following for me :-

1)sh xlate det | inc x.x.x.x


2)debug icmp trace and logs at debug level

Actions

This Discussion