Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Security Plus ignores inbound ACL's

I have a single static IP and currently serve http, https, & SMTP (successfully) through PAT with a PIX 501.

I've tried every combination of Outside_in ACL's, even a permit any any and incoming traffic is still blocked by ACL. The logged event is:

TCP access denied by ACL from 195.156.154.115/3359 to WAN:195.156.111.132/443

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA 5505 Security Plus ignores inbound ACL's

if you want to do .132 (ASA outside interface) you should do

static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255

note: elijah recommended same thing above

7 REPLIES
New Member

Re: ASA 5505 Security Plus ignores inbound ACL's

is the acl applied to an interface. for example if your acl is named inpackets, then you would need "access-group inpackets in interface outside"

New Member

Re: ASA 5505 Security Plus ignores inbound ACL's

Yes, it is applied to an interface:

"access-group WAN_access_in in interface WAN"

New Member

Re: ASA 5505 Security Plus ignores inbound ACL's

Having 2 static IP, using a diffrenet one for port forwarding all works fine.

New Member

Re: ASA 5505 Security Plus ignores inbound ACL's

What version of IOS are you running I currently have this setup without any issues at all.

access-list 100 extended permit tcp any host X.X.X.X eq smtp

static (inside,outside) tcp interface smtp servers ip here smtp netmask 255.255.255.255

Applied to the interface

access-group 100 in interface outside

Cisco Employee

Re: ASA 5505 Security Plus ignores inbound ACL's

hi,

i guess i am saying the same thing again.

for the access from outside to inside

you need

the static:

static (inside,outside)

let's say,the internal ip address of the server is 10.0.0.2

so,the static would be :

static (inside,outside) 195.156.111.132 10.0.0.2

along with this,we need an access-list on the outside interface which permits the traffic.

access-list out_in permit tcp any host 195.156.111.132 eq http

access-list out_in permit tcp any host 195.156.111.132 eq https

access-list out_in permit tcp any host 195.156.111.132 eq smtp

Let me know if this helps.

Sushil

New Member

Re: ASA 5505 Security Plus ignores inbound ACL's

hi,

I have the following commands:

access-list WAN_access_in extended permit ip any host 195.156.111.131

static (LAN,WAN) tcp 195.156.111.131 www 192.168.151.22 www netmask 255.255.255.255

access-group WAN_access_in in interface WAN

ASA has the IP 195.156.111.132.

If I have the commands with a different ip, eg 131, it works. If I use the ASA own IP, 132, I get ACL denies.

Green

Re: ASA 5505 Security Plus ignores inbound ACL's

if you want to do .132 (ASA outside interface) you should do

static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255

note: elijah recommended same thing above

282
Views
0
Helpful
7
Replies
CreatePlease to create content