Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
7
Replies

ASA 5505 Security Plus ignores inbound ACL's

Go to solution
istvanbocskai
Level 1
Level 1

‎03-03-2007 05:23 AM - edited ‎03-11-2019 02:41 AM

I have a single static IP and currently serve http, https, & SMTP (successfully) through PAT with a PIX 501.

I've tried every combination of Outside_in ACL's, even a permit any any and incoming traffic is still blocked by ACL. The logged event is:

TCP access denied by ACL from 195.156.154.115/3359 to WAN:195.156.111.132/443

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to istvanbocskai

‎03-09-2007 09:45 AM

if you want to do .132 (ASA outside interface) you should do

static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255

note: elijah recommended same thing above

View solution in original post

0 Helpful
7 Replies 7

Go to solution
jserevitch
Level 1
Level 1

‎03-04-2007 11:39 AM

is the acl applied to an interface. for example if your acl is named inpackets, then you would need "access-group inpackets in interface outside"

0 Helpful

Go to solution
istvanbocskai
Level 1
Level 1
In response to jserevitch

‎03-05-2007 05:39 AM

Yes, it is applied to an interface:

"access-group WAN_access_in in interface WAN"

0 Helpful

Go to solution
istvanbocskai
Level 1
Level 1

‎03-05-2007 05:35 AM

Having 2 static IP, using a diffrenet one for port forwarding all works fine.

0 Helpful

Go to solution
elijah.savage
Level 1
Level 1

‎03-06-2007 11:13 AM

What version of IOS are you running I currently have this setup without any issues at all.

access-list 100 extended permit tcp any host X.X.X.X eq smtp

static (inside,outside) tcp interface smtp servers ip here smtp netmask 255.255.255.255

Applied to the interface

access-group 100 in interface outside

0 Helpful

Go to solution
suschoud
Cisco Employee
Cisco Employee
In response to elijah.savage

‎03-06-2007 01:56 PM

hi,

i guess i am saying the same thing again.

for the access from outside to inside

you need

the static:

static (inside,outside)

let's say,the internal ip address of the server is 10.0.0.2

so,the static would be :

static (inside,outside) 195.156.111.132 10.0.0.2

along with this,we need an access-list on the outside interface which permits the traffic.

access-list out_in permit tcp any host 195.156.111.132 eq http

access-list out_in permit tcp any host 195.156.111.132 eq https

access-list out_in permit tcp any host 195.156.111.132 eq smtp

Let me know if this helps.

Sushil

0 Helpful

Go to solution
istvanbocskai
Level 1
Level 1
In response to suschoud

‎03-09-2007 09:40 AM

hi,

I have the following commands:

access-list WAN_access_in extended permit ip any host 195.156.111.131

static (LAN,WAN) tcp 195.156.111.131 www 192.168.151.22 www netmask 255.255.255.255

access-group WAN_access_in in interface WAN

ASA has the IP 195.156.111.132.

If I have the commands with a different ip, eg 131, it works. If I use the ASA own IP, 132, I get ACL denies.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to istvanbocskai

‎03-09-2007 09:45 AM

if you want to do .132 (ASA outside interface) you should do

static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255

note: elijah recommended same thing above

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card