ASA 5505 8.3 ACL Dropping Packet - Please help

Unanswered Question
Jul 20th, 2010

message removed.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Tue, 07/20/2010 - 20:49

Hello,

Please try the config below:

object service Web
service tcp source eq www

object service SecureWeb
service tcp source eq https

object service SMTP
service tcp source eq SMTP

object network out_1
host 1.1.1.1

object network in_1
host 192.168.11.2

object network in_2
host 192.168.11.5

nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25

Hope this helps.

Regards,

NT

Allen P Chen Wed, 07/21/2010 - 00:02

Will traffic from the DMZ be PAT'ed to the outside interface as well?  If so, you will need a corresponding NAT statement for this:

object network obj_10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (dmz,outside) dynamic interface

The above will allow all traffic from 10.0.0.0/24 behind the DMZ interface to be PAT'ed to the outside interface IP address (1.1.1.1) when making an outbound connection.

Hope this helps.

egrundlehner Thu, 07/22/2010 - 10:36

Thanks! I'm going to test this now. How do I allow a range of Ip's to hit our firewall for PCI testing. A security company we use needs to be able to hit the firewall to test. In our Watchguard this was called an exception list.

Nagaraja Thanthry Thu, 07/22/2010 - 10:42

Hello,

You can add entries to the outside access-list.

Access-list outside_access_in permit ip host any

Hope this helps.

Regards,

NT

Allen P Chen Thu, 07/22/2010 - 10:45

Which internal hosts will the security company need to access, and on which ports?  If it needs to access the internal host 192.168.11.2 on ports 80,443 and host 192.168.11.5 on port 25, then the following commands provided by the previous poster should allow this:

nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25

access-group outside_access_in in interface outside

egrundlehner Thu, 07/22/2010 - 11:01

They actually test agains tthe firewall. So i'm assuming they just need icmp on the outside inteface turned on.

Allen P Chen Thu, 07/22/2010 - 11:52

Can you try removing this line?

nat (inside,outside) source dynamic any interface

I think this NAT rule is taking precedence instead of the static PATs you've configured.  You can then configure dynamic PAT for inside hosts going out as follows:

object network obj_192.168.11.0

subnet 192.168.11.0 255.255.255.0

nat (inside,outside) dynamic interface

Issue "clear local-host" and try testing again.

egrundlehner Thu, 07/22/2010 - 11:59

Still does not work. This is what shows in the logs.

Can you call or email me off the boards

4Jul 22 201019:01:10106023208.85.196.732233192.168.11.2443Deny tcp src outside:1.1.1.1./2233 dst inside:192.168.11.2/443 by access-group "outside_access_in" [0x0, 0x0]
Allen P Chen Thu, 07/22/2010 - 11:59

Also, 8.3 uses the real IP address in the ACLs, so please try changing the ACL as follows.  Sorry I missed it earlier:

no access-list outside_access_in extended permit tcp any interface outside eq www
no access-list outside_access_in extended permit tcp any interface outside eq https
no access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.11.2 eq www
access-list outside_access_in extended permit tcp any host 192.168.11.2 eq https
access-list outside_access_in extended permit tcp any host 192.168.11.5 eq smtp

access-group outside_access_in in interface outside

Actions

This Discussion