What happens to TCP packet when it hits explicit deny in ACL

Unanswered Question
May 14th, 2009

Hi all,

Basic questions before the details: Does an explicit deny on an ASA 5510 7.2(2) send a RST packet back to a SYN scanner? Why does it not just drop the packet? Can I make it do so? Do I understand what I'm doing? :)

Details: Got a client running his own Qualys (sp?) scanner on his network. When he scans well known ports at remote offices which essentially hang off 5510 DMZ's he receives an RST from port 25. As far the the Inside int ACL goes there is a specific deny of all smtp traffic not coming from his mail servers. Everything else from his scanner would at least be allowed past the ingress interface of the ASA.

But as mentioned he receives an RST from an smtp probe. Now I don't have access to his Qualys but I do have namap and I ran the following on a random (might not even exist) host at a remotre site:

nmap -sS

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2009-05-14 22:36 WST

Interesting ports on

(The 1659 ports scanned but not shown below are in state: filtered)


25/tcp closed smtp

Nmap run completed -- 1 IP address (1 host up) scanned in 22.057 seconds

I then put an explicit permit in the ACL tpo allow my nmap host smtp access to that random host and here are the results:

nmap -sS

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2009-05-14 22:43 WST

All 1660 scanned ports on are: filtered

Nmap run completed -- 1 IP address (1 host up) scanned in 35.012 seconds

So my question again - is the explicit deny returning a RST to a SYN request when I'd hope it would just drop the packet? If so how do force the drop?

All help much appreciated


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
handsy Fri, 05/15/2009 - 02:39

Hmmm, I wonder if the 'inspect esmtp' ASA default is sending your RST.

Try turning that off in config:

policy-map global_policy

class inspection_default

no inspect esmtp

....and run your nmap/qualys scans again.

Good luck!

m.surtees Sun, 05/17/2009 - 17:47

Hi handsy,

Sorry I didn't mention it originally but I did check the esmtp inspect. Although I don't uderstand why, it has caused issues before (actually sending emails to @cisco.com ridiculously). As such it was/is turned off.

Thanks for your reply though,


ppoouellet Fri, 05/15/2009 - 04:46

You may also check if there is some 'service ...' command in the config (service resetoutside, service resetinbound).

m.surtees Sun, 05/17/2009 - 17:54

hi ppoouellet,

Unfortunately that's not it either. No 'service ...' cmd in there.

Thanks for the reply,



This Discussion