Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Access list help with ASA 5510 on 8.4(3)


I'm setting up 2 x ASA 5510's and have got the failover working and from the trunk port for my sub interfaces which goes into a 3750.  Anyway I'm have a bit of a nightmare as I can't get a PC on VLAN 50 with an IP of to access the firewall via the ASDM on or ping it. can ping the interface on the ASA to  The packet trace says as allowed to on https but not http

cli error: TCP access denied by ACL from to Testl_Live_WAN:

Do I need to add a NAT?  NAT's look very different in this version as I'm use to 8.2.


CiscoASA-5510-Test-1# sh run

: Saved


ASA Version 8.4(3)


hostname CiscoASA-5510-Test-1

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted




interface Ethernet0/0


no nameif

no security-level

no ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address standby


interface Ethernet0/2

no nameif

no security-level

no ip address


interface Ethernet0/2.50

vlan 50

nameif Test_Live_WAN

security-level 50

ip address standby

ospf cost 10


interface Ethernet0/3

description LAN/STATE Failover Interface


interface Management0/0


no nameif

no security-level

no ip address


boot system disk0:/asa843-k8.bin

ftp mode passive

same-security-traffic permit intra-interface

object network Andy


object service Http

service tcp destination eq www

object service Https

service tcp destination eq https

object-group service Http-Https

service-object tcp destination eq www

service-object tcp destination eq https

access-list Test_Live_WAN_access_in extended permit tcp host host eq https

access-list Test_Live_WAN_access_in extended permit tcp host host eq www

access-list Test_Live_WAN_access_in extended permit icmp any any

access-list Test_Live_WAN_access_in extended deny ip any any

pager lines 24

logging enable

logging timestamp

logging standby

logging buffer-size 200000

logging console critical

logging monitor critical

logging buffered critical

logging trap critical

logging asdm critical

logging facility 16

logging device-id hostname

logging host inside

logging message 713167 level critical

logging message 106010 level warnings

mtu inside 1500

mtu Test_Live_WAN 1500


failover lan unit primary

failover lan interface Failover_Interface Ethernet0/3

failover replication http

failover link Failover_Interface Ethernet0/3

failover interface ip Failover_Interface standby

monitor-interface Test_Live_WAN

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

access-group Test_Live_WAN_access_in in interface Test_Live_WAN

route inside 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http inside

http Test_Live_WAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

telnet timeout 5

ssh inside

ssh timeout 30

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


username bob password 20ooook.. encrypted privilege 15


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_1


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options


service-policy global_policy global

prompt hostname context

call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http



Access list help with ASA 5510 on 8.4(3)

Hello Andy,

Here is the thing:

" The ASA as a security device is not going to allow traffic to a distant interface, so in your case from the inside interface on any host you will not be able to reach the outside ip address ( via icmp,telnet,ssh,asdm,etc). This as a security meassure"

So if you want to connect via ASDM you will need to access the inside interface and not the outside interface, that is why you are seeing the ACL drop

Please rate all the helpful posts


Julio Carvajal
Senior Network Security and Core Specialist
CreatePlease to create content