Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 8.3 ACL Dropping Packet - Please help

message removed.

10 REPLIES
Cisco Employee

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

Hello,

Please try the config below:

object service Web
service tcp source eq www

object service SecureWeb
service tcp source eq https

object service SMTP
service tcp source eq SMTP

object network out_1
host 1.1.1.1

object network in_1
host 192.168.11.2

object network in_2
host 192.168.11.5

nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25

Hope this helps.

Regards,

NT

Cisco Employee

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

Will traffic from the DMZ be PAT'ed to the outside interface as well?  If so, you will need a corresponding NAT statement for this:

object network obj_10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (dmz,outside) dynamic interface

The above will allow all traffic from 10.0.0.0/24 behind the DMZ interface to be PAT'ed to the outside interface IP address (1.1.1.1) when making an outbound connection.

Hope this helps.

Community Member

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

Thanks! I'm going to test this now. How do I allow a range of Ip's to hit our firewall for PCI testing. A security company we use needs to be able to hit the firewall to test. In our Watchguard this was called an exception list.

Cisco Employee

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

Hello,

You can add entries to the outside access-list.

Access-list outside_access_in permit ip host any

Hope this helps.

Regards,

NT

Cisco Employee

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

Which internal hosts will the security company need to access, and on which ports?  If it needs to access the internal host 192.168.11.2 on ports 80,443 and host 192.168.11.5 on port 25, then the following commands provided by the previous poster should allow this:

nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25

access-group outside_access_in in interface outside

Community Member

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

They actually test agains tthe firewall. So i'm assuming they just need icmp on the outside inteface turned on.

Community Member

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

message removed

Cisco Employee

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

Can you try removing this line?

nat (inside,outside) source dynamic any interface

I think this NAT rule is taking precedence instead of the static PATs you've configured.  You can then configure dynamic PAT for inside hosts going out as follows:

object network obj_192.168.11.0

subnet 192.168.11.0 255.255.255.0

nat (inside,outside) dynamic interface

Issue "clear local-host" and try testing again.

Community Member

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

Still does not work. This is what shows in the logs.

Can you call or email me off the boards

4Jul 22 201019:01:10106023208.85.196.732233192.168.11.2443Deny tcp src outside:1.1.1.1./2233 dst inside:192.168.11.2/443 by access-group "outside_access_in" [0x0, 0x0]

Cisco Employee

Re: ASA 5505 8.3 ACL Dropping Packet - Please help

Also, 8.3 uses the real IP address in the ACLs, so please try changing the ACL as follows.  Sorry I missed it earlier:

no access-list outside_access_in extended permit tcp any interface outside eq www
no access-list outside_access_in extended permit tcp any interface outside eq https
no access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.11.2 eq www
access-list outside_access_in extended permit tcp any host 192.168.11.2 eq https
access-list outside_access_in extended permit tcp any host 192.168.11.5 eq smtp

access-group outside_access_in in interface outside

1207
Views
0
Helpful
10
Replies
CreatePlease to create content