Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

access list rule not working

I have an extended access-list rule that is #1 in poistion on the external access list

access-list acl-outside line 1 extended permit tcp host x.x.x.x host a.b.c.d eq 5723

access-list acl-outside line 2 extended permit tcp host x.x.x.y host a.b.c.e eq 5723

but when i telnet from x.x.x.x to a.b.c.d to 5723

it does not listen or respond.

internally i verified that the ports is listening on the host.

The ip of the internal ip is natted to the external ip a.b.c.d

any idea?

17 REPLIES
Super Bronze

access list rule not working

Hi,

Well the first thing to do would be to use the "packet-tracer" to check what it says would happen to such a connections

packet-tracer input outside tcp x.x.x.x 12345 a.b.c.d 5723

This should tell us if all the configurations are ok. For example that we are matching the correct NAT configuration and ACL rule.

If everything seems fine (share the output) then you should probably test the connection from the external network and monitor the syslogs and check that you see the Building and Teardown messages of the TCP connection. Furthermore look at what the termination reason of the connection is in the Teardown message.

There could be several reasons the connections isnt coming up even though the firewall configurations are ok

  • No default route on the host
  • Other routing problem from the host back to the external network
  • Software firewall blocking the connection attempt
  • Some other device in between blocking the connection attempt
  • Service not enabled on the host
  • etc

One "last" option is ofcourse to take a traffic capture on the ASA and confirm if the traffic is heading to the host and if anything is coming back while the TCP connection is being formed.

- Jouni

New Member

access list rule not working

packet-tracer input outside tcp x.x.x.x 12345 a.b.c.d 5723

12345 is the source port of the source ip? I dont know what the source port will be

Super Bronze

Re: access list rule not working

Hi,

You dont really need to know the source port. The source port is irrelevant. As you see you have not defined any specific source port in the ACL so any source port is allowed. The port 12345 is just an example source port as the connection/packet simulated needs to have one.

- Jouni

New Member

access list rule not working

I ran the packet tracer and came up with this result

Result:      

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Super Bronze

access list rule not working

Hi,

It would be good to see the full output of the command.

But if that is all that can be seen then it would seem to point out that the ASA configurations are fine and the problems and the problem is somewhere else.

The next thing would be to look at the ASA logs while attempting the connection. ASDM would probably be the easiest way if you have not set up a Syslog server to which the ASA sends the logs.

- Jouni

access list rule not working

So you are running a version lowe than 8.3 right?

Remember that after 8.3 you now poing to the private ip addresses of the devices.

To be sure this is not a FW issue

capture capout interface outside match tcp host x.x.x.x host a.b.c.d_public eq 5723

capture capin interface inside match tcp host x.x.x.x host a.b.c.d_Private eq 5723

Then try to connect once and share

show cap capout

show cap capin

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

access list rule not working

capture capout interface outside match tcp host x.x.x.x host a.b.c.d_public eq 5723

when i do this it says incomplete command

  Hostname or A.B.C.D  Destination IP address

  any                  Abbreviation for destination address and mask of 0.0.0.0

                       0.0.0.0

  host                 Use this keyword to configure destination host

New Member

access list rule not working

i did both captures and there are no packets captured

show capture capout

0 packet captured

0 packet shown

show capture capin

0 packet captured

0 packet shown

Super Bronze

access list rule not working

Hi,

Either the capture was configured with incorrect IP addresses or there was simply no traffic from the public/external network that ever reached the ASA.

- Jouni

New Member

access list rule not working

i initiated the traffic from x.x.x.x with a telnet public_ip 5723

but there was no response.

I am able to ping the ip from x.x.x.x

access list rule not working

If you generate the traffic and you do not see anything on the capture then as Jounni said traffic is not getting to the ASA, it´s being block somewhere else....

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

access list rule not working

how do I find out the telnet connection from the source to the destination from the logs?

access list rule not working

Do

show logging | include x.x.x.x (Source IP address)

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Super Bronze

access list rule not working

Hi,

I would probably start by logging into the ASDM management and go to the Monitoring sections and open logging. Then you could attempt the connections and see if any connection attempts are getting denied.

Since you already configured a packet capture and we got no hits, that would mean that either the capture was configured with the wrong IP addresses or simply no traffic reached your ASA.

Since you say that ICMP works it would seem more likely to me that the traffic might be coming from a different source IP address than the one configured in the ACL rules perhaps?

- Jouni

New Member

Re: access list rule not working

yes I am logged into the adsm. all icmp traffic i can see being logged. but telnetting to port 5723 is not. I actually aleady see an access list ule allow all traffic from the source ip subnet to this ip.

I was able to telnet to port 80 and it worked. but not 5723. any ideas?

but even telnetting to port 80 shows no logging traffic

New Member

Re: access list rule not working

when i telnet to port 443 of th public ip, I get something like

Teardown TCP connection 319711461 for outside: 1.1.1.1/49632 to inside 2.2.2.2/443 duration 0:00:00 bytes 0 TCP Reset-I

but whne i telnet to port 80 or 5723, nothing happens and no logging occurs

Super Bronze

access list rule not working

Hi,

Well without seeing any actual configurations it would seem that your connections simply arent reaching the ASA if its not logging anything.

The above log message indicates that the connection was immediately reset by the internal host/server. So it refused the connection by sending TCP Reset.

- Jouni

178
Views
0
Helpful
17
Replies
CreatePlease to create content