Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 issue with creating new ACLs

I've recently took over this new firewall to manage from another person who is no longer with the company. For some reason, when I've created a new NAT and applied a simple ACL, the ASA blocks it with the implicit deny rule.

I can't seem to understand why that would be. I've setup this type of thing many times without issues.

Anyone have any ideas?

Thanks,

Harmeet

I've attached the running config for some reference. The NAT in question is XXX.XXX.XXX.54 with the corresponding ACL, acl_out line

3 REPLIES
Cisco Employee

Re: ASA5510 issue with creating new ACLs

add the line :-

access-list inside_access_out line 1 permit ip any host 10.1.1.201

it should work..

New Member

Re: ASA5510 issue with creating new ACLs

Thanks. Unfortunately it didn't work.

I checked that rule in the ADSM packet tracer and it worked well, but in reality it didn't.

So I checked the packet tracer for the entry you just asked me to put in. It is being stopped by the NAT.

nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 3, untranslate_hits = 0

So, I guess I'm now out to look why the global statement for this NAT is not there.

Any suggestions?

Harmeet

Cisco Employee

Re: ASA5510 issue with creating new ACLs

harmeet can you get the following for me :-

1)sh xlate det | inc x.x.x.x

2)debug icmp trace and logs at debug level

128
Views
4
Helpful
3
Replies
CreatePlease to create content