Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5510 Access-List Problem

My ASA 5510 is intermittently denying access form my ISP's mail server to our internal SMTP gatway.

The acl applied to the outside interface of the firewall allows tcp any any to the smtp server on port 25. There is no access-list applied to inside interface. A packet trace yeilds the following result.

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) 193.201.254.66 128.1.100.199 netmask 255.255.255.255

nat-control

match ip inside host 128.1.100.199 outside any

static translation to 193.201.254.66

translate_hits = 1584262, untranslate_hits = 7749710

Additional Information:

NAT divert to egress interface inside

Untranslate 193.201.254.66/0 to 128.1.100.199/0 using netmask 255.255.255.255

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x47de0a0, priority=11, domain=permit, deny=true

hits=7928006, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The packet is being dropped by an implicit rule? Any ideas.

4 REPLIES
Green

Re: ASA 5510 Access-List Problem

Could you post your acl?

It should be...

access-list name extended permit tcp any host 193.201.254.66 eq 25

Community Member

Re: ASA 5510 Access-List Problem

access-list outside_acl extended permit tcp any host 193.201.254.66 eq smtp

access-list outside_acl extended permit tcp any object-group web-servers object-group web-ports-tcp

access-list outside_acl extended permit tcp any object-group dmz-servers eq www

Community Member

Re: ASA 5510 Access-List Problem

It seems your routing is not correct for the destination network:

Result:

input-interface: outside

output-interface: outside

Community Member

Re: ASA 5510 Access-List Problem

What version are you running? I'm getting the exact output your getting with a trace - looks like my issue could be related to bug ID CSCsj31537 however.

158
Views
0
Helpful
4
Replies
CreatePlease to create content