Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

client are not hitting policy when there are too many users

Hi Team

I am facing a problem with my cisoco ASA policy:

I am running ASA version 8.0(4)

My config is as lollows:

interface Ethernet0/0
nameif inside
security-level 100
ip address

interface Ethernet0/1
nameif outside
security-level 0
ip address

access-list outbound extended permit ip host A.B.C.D  log # This is the policy that working with few host in the subnet

But when there are too many host login this policy fails and there is no hit on the policy

But at the same time if i apply the below policy and permit all and disable the above policy it works

access-list outbound extended permit ip any

it starts working for the same subnet for which it stops working previously

I am using no nat for the whole subnet as natting is working in the router.

It is really confused that the above policy work for few host and if enough user loggs in the the polict stops working and we need to allow the complete subnet.

The Ip access is A.B.C.D

Any help will be appreciated.


Cisco Employee

Re: client are not hitting policy when there are too many users

How did you gather it is not working when there are many hosts?

What do you mean it is not working?

It is allowing access but not logging? I see that you have the "log" key word.

What do the logs show when you say it breaks?

In the second access-list that you add you are adding "any" for the destination wereas the one before had a specific destion.

Pls. clarify.


CreatePlease to create content