Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5540 protocol-80 blocked packets when return

Hello, 

i have some traffic that uses protocol-80. I have set a new service with protocol 80 other than tcp / udp. Session try to be stablished from inside to outside

When packets arrives at "inside" interface, they cross the firewall and are sended out the "outside" interface. When packets return arrives again at "outside" interface the die there and not cross the ASA again to the inside "interface"

I verify that none packets hits the rules. It seems the packets are not matched by any rules in the ASA, but are send out, when packets arrives i don't understand what is happening and why are blocket at outside interface.

 

Please, could you help me ?

Thanks

Andre

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

You are talking about the IP

You are talking about the IP-protocol 80 and not about TCP or UDP? Then you have to allow it explicitly as this will never be handled statefully by the firewall:

access-list OUTSIDE-IN permit 80 host OUTSIDE-IP host INSIDE-IP

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
6 REPLIES
New Member

Hi,probably ASA doesn't

Hi,

probably ASA doesn't inspect this traffic, enable MPF for this traffic or add ACL

regards

Hubert

New Member

Thanks Hubert for your answer

Thanks Hubert for your answer!

VIP Purple

You are talking about the IP

You are talking about the IP-protocol 80 and not about TCP or UDP? Then you have to allow it explicitly as this will never be handled statefully by the firewall:

access-list OUTSIDE-IN permit 80 host OUTSIDE-IP host INSIDE-IP

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks for your answers!. I

Thanks for your answers!. I will try as soon as possible.

Yes, proto 80 is not tcp/udp. non-statefully is the key

 

New Member

Hello, sadly, none of the

Hello, 

sadly, none of the options work!

I have explicitly enabled return traffic in inside and outside interfaces, in incoming and outgoing directions but nothing...none hits apears in the rules..

access-list OUTSIDE-IN permit 80 host OUTSIDE-IP host INSIDE-IP

 

I have made a class-map in order to inspect the traffic in outside interfaces but this also seems to not work.

This kind of traffic is non-ip traffic and my ASA 5540 is in routed mode

Please, could you give me some idea to work around ?

Thanks  in advance!

Andres

 

 

New Member

It works now!The outside host

It works now!

The outside host had an old session stablished with the inside host.

Inside host had changed of address and the nat table still remains. I have clear the old session and everything works fine. ("clear conn address outside_address")

 

85
Views
0
Helpful
6
Replies
CreatePlease login to create content