Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA ACL Question

HI All, we have just bought two Cisco ASA's that I have setup in a failover pair, Having some issues with the Access Lists however.

I have created an access-list that permits any source to access a web server on the DMZ (Using NAT) However when I browse the the "real" natted address I am getting errors on the ASA saying that the request has been blocked by the implicit deny any statement, I totally understand that however why if I have created an access list that allows http traffic to the Internet address of the webserver should I be getting it, I can post config if required.

Any Idea?


Re: ASA ACL Question

post config...

New Member

Re: ASA ACL Question

Probably missing the static command from your config.

Try the static command:


static (inside, DMZ) 'inside_subnet' 'inside_subnet' netmask 'subnet_mask'


static (inside, DMZ) netmask

New Member

Re: ASA ACL Question

domain-name default.domain.invalid

enable password xxxxxxxxxxx encrypted




interface Ethernet0/0

description Live Internet Interface

nameif Live_Internet

security-level 0

ip address


interface Ethernet0/1

description Customer Network

nameif Customer_Net

security-level 10

ip address


interface Ethernet0/2

description Protected Network

nameif Protected_Net

security-level 100

ip address


interface Management0/0

description Live Network Interface

nameif Live_Net

security-level 100

ip address


passwd xxxxxxxxxx encrypted

banner exec Welcome to the ASA

banner login Welcome to the ASA

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service ISAKMP udp

port-object eq isakmp

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit

access-list Live_Net_access_in extended permit icmp any

access-list outside_acl extended permit tcp any host eq www

access-list Live_Internet_access_in extended permit tcp any host eq www

pager lines 24

no asdm history enable

arp timeout 14400

global (Protected_Net) 1

static (Live_Internet,Protected_Net) netmask

access-group Live_Internet_access_in in interface Live_Internet

timeout uauth 0:05:00 absolute

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1

default-domain value

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

client-firewall none

client-access-rule none


functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

http server enable

http Live_Internet

http Live_Net

snmp-server host Live_Net community cognito

snmp-server location Park Royal CAB1

snmp-server contact Cognito Network Operations

snmp-server community cognito

snmp-server enable traps snmp authentication linkup linkdown coldstart

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

New Member

Re: ASA ACL Question

Issue has been resolved, had issue with the natting function which I have resolved and it all working a treat

CreatePlease to create content