07-27-2013 12:12 PM - edited 03-11-2019 07:17 PM
When i log into my asa and create an access list, the rule does not work. is it possible that I am adding an acl on the standby and not the primary?
how do I check which is primary or standby?
Solved! Go to Solution.
07-27-2013 02:51 PM
Hello Tony,
First of all.
You are not on the active nor standby as failover is off
Second you need to have the access-group command in order for an ACL to take place
show run access-group will show us if you have it
Finally you need the static command because you want to start connections from the DMZ, and the static NAT is biderectional which means you can innitiate connections from the other site( in this case DMZ) so you need it,
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-27-2013 12:31 PM
Hello Tony,
Have you applied the access-group command?
Type the command:
Show failover (this will tell you if you are on the active or standby box
Also when you generate a new command on the standy unit you get a warning about a configuration mismatch so if you have not seen it you are on the primary.
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-27-2013 12:47 PM
this is what i see
show failover
Failover Off
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet1/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 5 of 210 maximum
failover replication http
No I have not applied the access group command. I am trying to create this
access-list acl-dmz2 line 101 extended permit tcp any host x.x.x.x eq 1688
but it does not work.
Also I did not see any warning after creating the acl
07-27-2013 12:53 PM
i think I am on the active since there are hitcounts on the acls. the other one has no hitcnts. but my simple acl is not working
07-27-2013 01:47 PM
ok I think I found out why. IN addition to the access-list line
I also needed the static (inside,dmz) insideIP, insideIP netmask 255.255.255.255
why is that?
07-27-2013 02:51 PM
Hello Tony,
First of all.
You are not on the active nor standby as failover is off
Second you need to have the access-group command in order for an ACL to take place
show run access-group will show us if you have it
Finally you need the static command because you want to start connections from the DMZ, and the static NAT is biderectional which means you can innitiate connections from the other site( in this case DMZ) so you need it,
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-27-2013 03:51 PM
thank you. I do have access-group.
07-27-2013 11:43 PM
Hello Tony,
My pleasure
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide