ASA5505 giving error 106023

Answered Question
Jun 30th, 2008

I hope that I am describing my issue correctly:

I am getting errors that incoming packets are dropped because of access list "outside_access_in"

But I can't for the life of me figure it out.

I am pretty sure this used to work.

For example we use netmotion and that server is on the inside @ 192.168.123.160 using port 5008 which I have PATted from the outside interface.

But when a client on the outside attempts to access it I get the 106023 error : "Deny udp src outside:65.64.221.202/1269 dst inside:xx.xx.xx.xxx/5008 by access-group "outside_access_in" [0x0, 0x0]"

My external IP is DHCP from the ISP which is what shows at the above xx.xx.xx.xxx address.

Please, any pointers would be greatly appreciated.

I have this problem too.
0 votes
Correct Answer by Fernando_Meza about 8 years 5 months ago

Hi ..

I think the below ACL entry is not correct

access-list outside_access_in extended permit udp any host 192.168.123.160 eq 5008

it should allow access to the OUTSIDE INTERFACE as below

access-list outside_access_in extended permit udp any interface outside eq 5008

Similar entries should be added for any device being (Port Forwarded) by the external interface of the firewall).

The client on the outside of the firewall should be pointing to External-IP-Address of the firewall at port 5008 instead of to 192.168.123.160:5008

I hope it helps .. please rate helpfull posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Fernando_Meza Mon, 06/30/2008 - 16:31

Hi ..

I think the below ACL entry is not correct

access-list outside_access_in extended permit udp any host 192.168.123.160 eq 5008

it should allow access to the OUTSIDE INTERFACE as below

access-list outside_access_in extended permit udp any interface outside eq 5008

Similar entries should be added for any device being (Port Forwarded) by the external interface of the firewall).

The client on the outside of the firewall should be pointing to External-IP-Address of the firewall at port 5008 instead of to 192.168.123.160:5008

I hope it helps .. please rate helpfull posts.

dirkmelvin Tue, 07/01/2008 - 05:46

I have implemented it as of now. I will let you know how it works out. Thank you for your input.

dirkmelvin Tue, 07/01/2008 - 05:58

I have implemented it as of now. I will let you know how it works out. Thank you for your input.

dirkmelvin Wed, 07/30/2008 - 05:47

Sorry, I practically forgot about this post.

It did indeed solve my issue. Thank you so much!

Actions

This Discussion