cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1799
Views
0
Helpful
10
Replies

ASA 5505 8.3 ACL Dropping Packet - Please help

egrundlehner
Level 1
Level 1

message removed.

10 Replies 10

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Please try the config below:

object service Web
service tcp source eq www

object service SecureWeb
service tcp source eq https

object service SMTP
service tcp source eq SMTP

object network out_1
host 1.1.1.1

object network in_1
host 192.168.11.2

object network in_2
host 192.168.11.5

nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25

Hope this helps.

Regards,

NT

Allen P Chen
Level 5
Level 5

Will traffic from the DMZ be PAT'ed to the outside interface as well?  If so, you will need a corresponding NAT statement for this:

object network obj_10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (dmz,outside) dynamic interface

The above will allow all traffic from 10.0.0.0/24 behind the DMZ interface to be PAT'ed to the outside interface IP address (1.1.1.1) when making an outbound connection.

Hope this helps.

Thanks! I'm going to test this now. How do I allow a range of Ip's to hit our firewall for PCI testing. A security company we use needs to be able to hit the firewall to test. In our Watchguard this was called an exception list.

Hello,

You can add entries to the outside access-list.

Access-list outside_access_in permit ip host any

Hope this helps.

Regards,

NT

Which internal hosts will the security company need to access, and on which ports?  If it needs to access the internal host 192.168.11.2 on ports 80,443 and host 192.168.11.5 on port 25, then the following commands provided by the previous poster should allow this:

nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25

access-group outside_access_in in interface outside

They actually test agains tthe firewall. So i'm assuming they just need icmp on the outside inteface turned on.

message removed

Allen P Chen
Level 5
Level 5

Can you try removing this line?

nat (inside,outside) source dynamic any interface

I think this NAT rule is taking precedence instead of the static PATs you've configured.  You can then configure dynamic PAT for inside hosts going out as follows:

object network obj_192.168.11.0

subnet 192.168.11.0 255.255.255.0

nat (inside,outside) dynamic interface

Issue "clear local-host" and try testing again.

Still does not work. This is what shows in the logs.

Can you call or email me off the boards

4Jul 22 201019:01:10106023208.85.196.732233192.168.11.2443Deny tcp src outside:1.1.1.1./2233 dst inside:192.168.11.2/443 by access-group "outside_access_in" [0x0, 0x0]

Also, 8.3 uses the real IP address in the ACLs, so please try changing the ACL as follows.  Sorry I missed it earlier:

no access-list outside_access_in extended permit tcp any interface outside eq www
no access-list outside_access_in extended permit tcp any interface outside eq https
no access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.11.2 eq www
access-list outside_access_in extended permit tcp any host 192.168.11.2 eq https
access-list outside_access_in extended permit tcp any host 192.168.11.5 eq smtp

access-group outside_access_in in interface outside

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: