Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5510 access list problem

i recently tried to add a DMZ interface to an existing firewall.

when i configured everything i got a Deny on

my access list and i'm not sure why.  below is a partial configuration and the

Deny statement.....any help would be appreciated...

access-list Outside_access_in extended permit tcp any host xx.xx.xx.xx eq www
access-list Outside_access_in extended permit tcp any host xx.xx.xx.xx eq https
access-list Outside_access_in extended permit tcp any host yy.yy.yy.yy eq www
access-list Outside_access_in extended permit tcp any host yy.yy.yy.yy eq https
access-list Outside_access_in extended permit tcp any host zz.zz.zz.zz eq www
access-list Outside_access_in extended permit tcp any host zz.zz.zz.zz eq https

access-list DMZ-IN extended permit tcp host 10.21.1.11 any eq ssh
access-list DMZ-IN extended permit tcp host 10.21.1.11 any eq smtp
access-list DMZ-IN extended permit udp host 10.21.1.11 any eq syslog
access-list DMZ-IN extended permit udp host 10.21.1.11 any eq domain
access-list DMZ-IN extended permit tcp host 10.21.1.11 any eq www
access-list DMZ-IN extended permit tcp host 10.21.1.11 any eq https
access-list DMZ-IN extended permit tcp host 10.21.1.11 any eq ftp
access-list DMZ-IN extended permit tcp host 10.21.1.11 any eq ftp-data
access-list DMZ-IN extended permit tcp host 10.21.1.11 any eq 10201
access-list DMZ-IN extended permit tcp host 10.21.1.10 any eq ssh
access-list DMZ-IN extended permit tcp host 10.21.1.10 any eq smtp
access-list DMZ-IN extended permit tcp host 10.21.1.10 any eq 51100
access-list DMZ-IN extended permit udp host 10.21.1.10 any eq syslog
access-list DMZ-IN extended permit tcp host 10.21.1.10 any gt 1023
access-list DMZ-IN extended permit tcp host 10.21.1.10 any eq www
access-list DMZ-IN extended permit tcp host 10.21.1.10 any eq https
access-list DMZ-IN extended permit udp host 10.21.1.10 any eq domain
access-list DMZ-IN extended permit tcp host 10.21.1.10 any eq ftp
access-list DMZ-IN extended permit tcp host 10.21.1.10 any eq ftp-data
access-list DMZ-IN extended permit tcp host 10.21.1.12 any eq https
access-list DMZ-IN extended permit udp host 10.21.1.12 any eq www
access-list DMZ-IN extended permit udp host 10.21.1.12 any eq 10001

global (Outside) 1 interface

nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 10.21.0.0 255.255.0.0

static (DMZ,Outside) xx.xx.xx.xx 10.21.1.11 netmask 255.255.255.255
static (DMZ,Outside) zz.zz.zz.zz 10.21.1.12 netmask 255.255.255.255
static (DMZ,Outside) yy.yy.yy.yy 10.21.1.10 netmask 255.255.255.255

access-group Outside_access_in in interface Outside
access-group DMZ-IN in interface DMZ

route Outside 0.0.0.0 0.0.0.0 aa.aa.aa.aa 1

Here is the Deny....

%ASA-4-106023: Deny tcp src Outside:70.184.zz.zz/2628 dst DMZ:xx.xx.xx.xx/443 by access-group "Outside_access_in" [0x0, 0x0]

xx.xx.xx.xx shows up as my web server external address.....

Thanks

8 REPLIES
Green

Re: ASA5510 access list problem

In the following..

access-list Outside_access_in extended permit tcp any host xx.xx.xx.xx eq https

is xx.xx.xx.xx also the external address of the server? If not, it needs to be.

Community Member

Re: ASA5510 access list problem

yes it is the same address.....

Cisco Employee

Re: ASA5510 access list problem

Since you did not provide the IP address in the syslog or in the config, it is hard for us to say why it is denied.

access-list Outside_access_in extended permit tcp any host xx.xx.xx.xx eq www
access-list Outside_access_in extended permit tcp any host xx.xx.xx.xx eq https
access-list Outside_access_in extended permit tcp any host yy.yy.yy.yy eq www
access-list Outside_access_in extended permit tcp any host yy.yy.yy.yy eq https
access-list Outside_access_in extended permit tcp any host zz.zz.zz.zz eq www
access-list Outside_access_in extended permit tcp any host zz.zz.zz.zz eq https

Pls. verify that the IP address listed in the deny acl is listed in the above line.

-KS

Community Member

Re: ASA5510 access list problem

here they are....

access-list Outside_access_in extended permit tcp any host 12.177.49.213 eq www
access-list Outside_access_in extended permit tcp any host 12.177.49.213 eq https
access-list Outside_access_in extended permit tcp any host 12.29.188.41 eq www
access-list Outside_access_in extended permit tcp any host 12.29.188.41 eq https
access-list Outside_access_in extended permit tcp any host 12.177.49.217 eq www
access-list Outside_access_in extended permit tcp any host 12.177.49.217

%ASA-4-106023: Deny tcp src Outside:70.184.zz.zz/2628 dst DMZ:12.177.49.213/443 by access-group "Outside_access_in" [0x0, 0x0]

Cisco Employee

Re: ASA5510 access list problem

I was able to load the page and get the following: https://12.177.49.213/

It is working !!

Welcome, SPORT fan!

Yes, we hope you'll become a fan of this Supplier Portal because it allows:

Faster, Easier Data Collection
Easy-to-use screens make life easier for everyone.

A Better Buying Experience
Complete, correct information keeps customers coming back for your products.

Greater Information Availability
SPORT helps eliminate guesswork and paper chases.

More Reliable Information
SPORT signals when information is overdue, incomplete or may need updating.

Valuable Time Savings
Better information means more time spent growing sales and profits rather than problem-solving.

We value your hard work creating new products, cutting complexities and cycle times, and managing                                         information, costs and inventories. SPORT centralizes the many details we need to promote your products and the rest                                         of

-KS

Community Member

Re: ASA5510 access list problem

originally this was set up on a pix 525......i am shutting the pix down and moving it to an ASA......when i couldn't get it to work this morning i moved it back to the pix....i still need to shut down the pix so i need to get it working on the ASA.....the Deny statement is from the ASA....

Cisco Employee

Re: ASA5510 access list problem

Once you replace the PIX with the ASA pls. compare the ACL lines and see if they look correct. When you replace the device with the same IP address, the arp table on the upstream device needs to be cleared or it will still have the old PIX's MAC address.

Are you sure you copied and pasted the acl lines from the ASA?

-KS

Community Member

Re: ASA5510 access list problem

yes i copied and pasted from the pix......i rebooted the router in front of the ASA......i

didn't reboot the ASA.

968
Views
0
Helpful
8
Replies
CreatePlease to create content