Solved: Re: ASA 5505 Security Plus ignores inbound ACL's

istvanbocskai · ‎03-03-2007

I have a single static IP and currently serve http, https, & SMTP (successfully) through PAT with a PIX 501.

I've tried every combination of Outside_in ACL's, even a permit any any and incoming traffic is still blocked by ACL. The logged event is:

TCP access denied by ACL from 195.156.154.115/3359 to WAN:195.156.111.132/443

acomiskey · ‎03-09-2007

if you want to do .132 (ASA outside interface) you should do

static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255

note: elijah recommended same thing above

jserevitch · ‎03-04-2007

is the acl applied to an interface. for example if your acl is named inpackets, then you would need "access-group inpackets in interface outside"

istvanbocskai · ‎03-05-2007

Yes, it is applied to an interface:

"access-group WAN_access_in in interface WAN"

istvanbocskai · ‎03-05-2007

Having 2 static IP, using a diffrenet one for port forwarding all works fine.

elijah.savage · ‎03-06-2007

What version of IOS are you running I currently have this setup without any issues at all.

access-list 100 extended permit tcp any host X.X.X.X eq smtp

static (inside,outside) tcp interface smtp servers ip here smtp netmask 255.255.255.255

Applied to the interface

access-group 100 in interface outside

suschoud · ‎03-06-2007

hi,

i guess i am saying the same thing again.

for the access from outside to inside

you need

the static:

static (inside,outside)

let's say,the internal ip address of the server is 10.0.0.2

so,the static would be :

static (inside,outside) 195.156.111.132 10.0.0.2

along with this,we need an access-list on the outside interface which permits the traffic.

access-list out_in permit tcp any host 195.156.111.132 eq http

access-list out_in permit tcp any host 195.156.111.132 eq https

access-list out_in permit tcp any host 195.156.111.132 eq smtp

Let me know if this helps.

Sushil

istvanbocskai · ‎03-09-2007

hi,

I have the following commands:

access-list WAN_access_in extended permit ip any host 195.156.111.131

static (LAN,WAN) tcp 195.156.111.131 www 192.168.151.22 www netmask 255.255.255.255

access-group WAN_access_in in interface WAN

ASA has the IP 195.156.111.132.

If I have the commands with a different ip, eg 131, it works. If I use the ASA own IP, 132, I get ACL denies.

acomiskey · ‎03-09-2007

if you want to do .132 (ASA outside interface) you should do

static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255

note: elijah recommended same thing above