Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACL on FWSM denying traffic

I have an FWSM that is denying traffic when there is explicit permits in the access-list that is applied to the interface. I have included the relevent config and log information. Does anyone have any ideas?

access-group police in interface police

interface police

ip address police 192.168.253.1 255.255.255.0 standby 192.168.253.2

access-list police remark ***Access to VPN

access-list police extended permit ip any any

access-list police extended permit udp any any

access-list police extended permit esp any any

access-list police extended permit tcp any any

static (inside,police) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (police,inside) policenet policenet netmask 255.255.255.0

name 192.168.253.3 police1

name 192.168.253.4 police2

name 192.168.253.5 police3

name 192.168.253.0 policenet

name x.x.x.x policevpn

name x.x.x.x policevpn2

Dec 09 2008 15:26:29: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn2/5008

Dec 09 2008 15:26:30: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn/5008

Dec 09 2008 15:26:37: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn/5008

Dec 09 2008 15:26:45: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn2/5008

Dec 09 2008 15:26:45: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn2/5008

3 REPLIES
Bronze

Re: ACL on FWSM denying traffic

Same thing here on a FWSM running version 4.0(6)

! START

!

interface Vlan400

nameif app-tier

security-level 90

ip address 192.168.50.1 255.255.255.0

!

interface Vlan800

nameif database-tier

security-level 95

ip address 192.168.100.1 255.255.255.0

!

access-list app-tier_acl extended permit icmp any any

access-list app-tier_acl extended permit ip 192.168.50.0 255.255.255.0 192.168.100.0 255.255.255.0 any

access-list app-tier_acl extended deny ip 192.168.50.0 255.255.255.0 any

!

access-group app-tier_acl in interface app-tier

!

static (app-tier,database-tier) 192.168.50.0 192.168.50.0 netmask 255.255.255.0

!

! END

%FWSM-3-106010: Deny inbound tcp src app-tier:192.168.50.23/3430 dst database-tier:192.168.100.4

Bronze

Re: ACL on FWSM denying traffic

Interesting. I was able to fix this by disabling NAT Control. However, with the static rule in place, that should not have been neccessary.

New Member

ACL on FWSM denying traffic

Hi ,

Identity static nat would resolve it.

Thanks

1344
Views
0
Helpful
3
Replies
CreatePlease to create content