Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Basic firewall config, yet blocking packets.

This is a brand new config, there's nothing on it.  I'm just trying to get packets to reach it, but it says it's being denied:

%ASA-3-710003: TCP access denied by ACL from 72.201.89.xx/23910 to outside:64.38.xxx.xx/80

I don't have a web server running on it, I'm just trying random ports to see if it'll go through before I start digging into my VPN issue.

Here is the config, allowing everything inbound/outbound:

vpn# show run

: Saved

:

ASA Version 8.2(5)

!

hostname vpn

domain-name xxx.net

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.16.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.38.x.x 255.255.255.192

!

ftp mode passive

dns server-group DefaultDNS

domain-name xxx

access-list OUTBOUND extended permit ip any any

access-list INBOUND extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group OUTBOUND in interface inside

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 64.38.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!            

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

What is making it deny all inbound packets?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Basic firewall config, yet blocking packets.

Hello Tyler,

In ording to allow a packet from a lower security level to a higher security level on a version with nat-control enable you need:

1- A bidirectional translation ( Static one to one, Nat 0 with ACL)

2- An ACL allowing the traffic.

In this case you are missing the first one.

Regards,

Julio

Rate all the helpful posts

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
2 REPLIES

Basic firewall config, yet blocking packets.

Hello Tyler,

In ording to allow a packet from a lower security level to a higher security level on a version with nat-control enable you need:

1- A bidirectional translation ( Static one to one, Nat 0 with ACL)

2- An ACL allowing the traffic.

In this case you are missing the first one.

Regards,

Julio

Rate all the helpful posts

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Red

Basic firewall config, yet blocking packets.

Hi Tyler,

Wat exactly are you trying to access, is it the outside interafce of the ASA?? If it is any other IP address in the same subnet that your isp has provided, then you would need to plug a host on the inside interface and do static nat for it, then only you would get a response for random ports on it.

Try this:

plug a host on the inside interface, assign an ip, lets say 10.0.16.2, then you would need the static:

static (inside,outside) 64.38.xx.xx 10.0.16.2

Then try the connection, it should then show you everything opened.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
373
Views
5
Helpful
2
Replies