Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Traffic allowed by acl being dropped on ASA5510 7.2(1)

Traffic allowed by acl is being denied, with the source port showing what the dest port should be.

Here is the relevant acl line:

access-list acl-cpt line 17 extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.2 eq smtp (hitcnt=2)

Here is the error:

%ASA-4-106023: Deny tcp src cpt:192.29.152.107/25 dst pgpserv:192.168.52.2/32819 by access-group "acl-cpt"

The /25 should be on the destination, 192.168.52.2, but is showing up on the source.

This acl worked in our PIX 6.2(4), but this error is occurring on this ASA device.

We have multiple instances of this problem occurring. I have tried deleting and re-applying the access-group, and I thought it fixed the problem, but it did not.

If you have any ideas, please let me know. Thank you.

8 REPLIES
Green

Re: Traffic allowed by acl being dropped on ASA5510 7.2(1)

Is it possible you have your security levels reversed or something? I dont think the asa would lie. Looking at your previous post it appears that your Eth0 is outside but your default route is Eth1 inside? Maybe a small topology and config would help.

Community Member

Re: Traffic allowed by acl being dropped on ASA5510 7.2(1)

It does not matter if the default route is

eth1 inside, as long as he has static routes

for the eth0 outside interface. Look to me like

this a bug in this code.

Green

Re: Traffic allowed by acl being dropped on ASA5510 7.2(1)

I wasn't saying that was a problem, just throwing ideas out there with limited knowledge of the problem and no config. Almost look like traffic is going out around the asa, then the return traffic is hitting outside of asa, that would explain the source port of 25.

Re: Traffic allowed by acl being dropped on ASA5510 7.2(1)

hi .. what happend if you start a manual telnet on port 25 i.e from 192.29.152.X PC start a telnet 192.168.52.2 25

Community Member

Re: Traffic allowed by acl being dropped on ASA5510 7.2(1)

Here are the relevant parts of the config. I do not have any statics defined. Shouldn't the nat exemption take care of that? Thanks for all your help, folks. I'm just trying to retrofit all the commands from the PIX 6.2(4) over to the ASA 7.2(1) and maybe it isn't that simple.

Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)

Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

This platform has an ASA 5510 Security Plus license.

ASA Version 7.2(1)

interface Ethernet0/0

speed 100

duplex full

nameif pgpserv

security-level 0

ip address 192.168.52.1 255.255.255.0

!

interface Ethernet0/1

speed 100

duplex full

nameif cpt

security-level 90

ip address 172.16.250.7 255.255.255.0

!

access-list matchall extended permit ip any any

access-list acl-pgpserv extended permit tcp host 192.168.52.2 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.3 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.4 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.5 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended deny ip any any

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.2 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.3 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.4 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.5 eq smtp

access-list acl-cpt extended deny ip any any

mtu pgpserv 1500

mtu cpt 1500

arp timeout 14400

nat (cpt) 0 access-list matchall

access-group acl-pgpserv in interface pgpserv

access-group acl-cpt in interface cpt

route cpt 0.0.0.0 0.0.0.0 172.16.250.2 1

Community Member

Re: Traffic allowed by acl being dropped on ASA5510 7.2(1)

Well, I can't explain it, and I don't want to leave this in place, but I added an acl line to acl-cpt, just before the deny line:

access-list acl-cpt line 54 extended permit tcp 192.29.152.0 255.255.255.0 eq smtp host 192.168.52.2 (hitcnt=0)

The "sh access-list" does not indicate any hits on this line, but the hitcnt on the other acl line for dest port 25 is now incrementing, and I don't see any drops. This makes no sense. Does anyone have any ideas?

Community Member

Re: Traffic allowed by acl being dropped on ASA5510 7.2(1)

I can't explain why the new ACE doesn't increment you number count, but you can see why it doesn't work without it. Your ACL on the CPT interface is only allowing traffic back to the PGPSERV interface that has a destination port of 25. Obviously the return traffic is to port 32819 which was the source port of the device originating the request on the 192.168.52.x network.

It works with the added ACE because you are finally allowing traffic back through the CPT interface that is going to all TCP ports other than just 25.

Community Member

Re: Traffic allowed by acl being dropped on ASA5510 7.2(1)

So why did it work with the PIX 6.2(4)? With a stateful firewall, if smtp (dest port 25) is allowed from point A to point B, the return traffic should be allowed, it should not require explicit permit in the ACL.

213
Views
0
Helpful
8
Replies
CreatePlease to create content