Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

FWSM ACL problem

This is something strange, details...

FWSM Firewall Version 2.3(2)

ip address inside 10.7.127.100 255.255.255.240

ip address NCI-DMZ 10.7.126.1 255.255.255.224

access-group acl_nci-dmz in interface NCI-DMZ

access-group acl_inside in interface inside

nameif vlan100 inside security100

nameif vlan15 NCI-DMZ security54

nat (inside) 0 0.0.0.0 0.0.0.0

nat (NCI-DMZ) 0 0.0.0.0 0.0.0.0

No static related to this.

access-list acl_nci-dmz extended permit tcp host 10.7.126.20 host 10.7.2.112 eq 8080 (hitcnt=0)

access-list acl_nci-dmz extended permit tcp host 10.7.126.21 host 10.7.2.112 eq 8080 (hitcnt=0)

ping inside 10.7.2.112

10.7.2.112 response received -- 0ms

ping NCI-DMZ 10.7.126.20

10.7.126.20 response received -- 0ms

Aug 14 13:36:33 FWSM-A %FWSM-3-106010: Deny inbound tcp src NCI-DMZ:10.7.126.20/64152 dst inside:10.7.2.112/8080

Aug 14 14:49:38 FWSM-A %FWSM-3-106010: Deny inbound tcp src NCI-DMZ:10.7.126.20/64851 dst inside:10.7.2.112/8080

Why is it getting denied? There are no outbound ACLs in FWSM and no denies before these lines that can block this traffic, just inbound ACLs on all interfaces. Opening ACL on source interface is enough to allow access.

This FWSM has many vlans as interfaces. Each has access-list of thousands of lines. What is the maximum size/lines of ACL that FWSM can handle? Is there any limitation? I suspect it as ACL lines are not downloaded in hardware.

Thanks

  • Other Security Subjects
1 REPLY
New Member

Re: FWSM ACL problem

Do you have a static translation for you inside host?

It is not included in the above config.

227
Views
0
Helpful
1
Replies