ASA: ACL is not working properly

Unanswered Question
Jul 17th, 2009
User Badges:

Here is my configuration.


access-list inside_access_in extended permit tcp host Mailint any eq smtp

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip object-group internal-net any


access-group inside_access_in in interface inside


This is in order to prevent eventual spammers from my LAN.

Mailint server is only allowed to send smtp traffic.


But the ACL does not work!?

I issue from my PC:

telnet mail.yahoo.com 25

And I receive reply from yahoo server.


Any suggestions? What is wrong?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mbesim Fri, 07/17/2009 - 04:47
User Badges:

Here it is



access-list inside_access_in; 9 elements; name hash: 0x433a1af1

access-list inside_access_in line 1 extended permit tcp host Mailint any eq smtp (hitcnt=0) 0x1fa6687c

access-list inside_access_in line 2 extended deny tcp any any eq smtp (hitcnt=18) 0xe3de3aa9

access-list inside_access_in line 3 extended permit ip object-group internal-net any 0x0ada2aa5

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=19175) 0x12ee6ada

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=16565) 0xeba73452

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=3270) 0x3ec5fae7

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=2723) 0x35616727

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=10427) 0x69b4b8b6

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=0) 0x4964f9f7

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=0) 0xfef1f420

mbesim Sat, 07/18/2009 - 20:38
User Badges:

Yes and it is not working.

SMTP traffic is passing trough.


Could somebody try this too.

Matt Lang Sun, 07/19/2009 - 04:19
User Badges:

Are you positive you are coming from the inside and are not coming in to the ASA from a different interface? If you are sure you are coming from the inside, can you add this to your ACL to test?


access-list inside_access_in line 2 deny tcp host any eq smtp


Then test again and look at the counters to see if you are able to get out. If you are, are you sure there is not a device before the ASA that is translating your address?

mbesim Tue, 07/21/2009 - 02:39
User Badges:

I was wrong. ACL is working.

Confusion was caused by TCP options.

(Configuration-firewall-advanced-TCP options for inside interface)

I unchecked "Send reset reply for denied outbound TCP packets"

and there is no more "replies" from yahoo server.


Sorry, but I was really confused by this.

Thanks for your replies.

Actions

This Discussion