ASA5510 issue with creating new ACLs

harmeet.ahuja · ‎02-26-2008

I've recently took over this new firewall to manage from another person who is no longer with the company. For some reason, when I've created a new NAT and applied a simple ACL, the ASA blocks it with the implicit deny rule.

I can't seem to understand why that would be. I've setup this type of thing many times without issues.

Anyone have any ideas?

Thanks,

Harmeet

I've attached the running config for some reference. The NAT in question is XXX.XXX.XXX.54 with the corresponding ACL, acl_out line

abinjola · ‎02-26-2008

add the line :-

access-list inside_access_out line 1 permit ip any host 10.1.1.201

it should work..

harmeet.ahuja · ‎02-27-2008

Thanks. Unfortunately it didn't work.

I checked that rule in the ADSM packet tracer and it worked well, but in reality it didn't.

So I checked the packet tracer for the entry you just asked me to put in. It is being stopped by the NAT.

nat (inside) 1 0.0.0.0 0.0.0.0 match ip inside any inside any dynamic translation to pool 1 (No matching global) translate_hits = 3, untranslate_hits = 0

So, I guess I'm now out to look why the global statement for this NAT is not there.

Any suggestions?

Harmeet

abinjola · ‎02-28-2008

harmeet can you get the following for me :-

1)sh xlate det | inc x.x.x.x

2)debug icmp trace and logs at debug level