Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA: ACL is not working properly

Here is my configuration.

access-list inside_access_in extended permit tcp host Mailint any eq smtp

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip object-group internal-net any

access-group inside_access_in in interface inside

This is in order to prevent eventual spammers from my LAN.

Mailint server is only allowed to send smtp traffic.

But the ACL does not work!?

I issue from my PC:

telnet mail.yahoo.com 25

And I receive reply from yahoo server.

Any suggestions? What is wrong?

8 REPLIES

Re: ASA: ACL is not working properly

post the output from "show access-list inside_access_in"

Community Member

Re: ASA: ACL is not working properly

Here it is

access-list inside_access_in; 9 elements; name hash: 0x433a1af1

access-list inside_access_in line 1 extended permit tcp host Mailint any eq smtp (hitcnt=0) 0x1fa6687c

access-list inside_access_in line 2 extended deny tcp any any eq smtp (hitcnt=18) 0xe3de3aa9

access-list inside_access_in line 3 extended permit ip object-group internal-net any 0x0ada2aa5

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=19175) 0x12ee6ada

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=16565) 0xeba73452

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=3270) 0x3ec5fae7

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=2723) 0x35616727

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=10427) 0x69b4b8b6

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=0) 0x4964f9f7

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=0) 0xfef1f420

Re: ASA: ACL is not working properly

So you are blocking line..

access-list inside_access_in line 2 extended deny tcp any any eq smtp (hitcnt=18)

Community Member

Re: ASA: ACL is not working properly

Yes and it is not working.

SMTP traffic is passing trough.

Could somebody try this too.

Re: ASA: ACL is not working properly

How do you know this is still working?

Bronze

Re: ASA: ACL is not working properly

Do you have a static NAT for your PC. Try to check from other Pcs which are natted.

Community Member

Re: ASA: ACL is not working properly

Are you positive you are coming from the inside and are not coming in to the ASA from a different interface? If you are sure you are coming from the inside, can you add this to your ACL to test?

access-list inside_access_in line 2 deny tcp host any eq smtp

Then test again and look at the counters to see if you are able to get out. If you are, are you sure there is not a device before the ASA that is translating your address?

Community Member

Re: ASA: ACL is not working properly

I was wrong. ACL is working.

Confusion was caused by TCP options.

(Configuration-firewall-advanced-TCP options for inside interface)

I unchecked "Send reset reply for denied outbound TCP packets"

and there is no more "replies" from yahoo server.

Sorry, but I was really confused by this.

Thanks for your replies.

439
Views
0
Helpful
8
Replies
CreatePlease to create content