This is something strange, details...

FWSM Firewall Version 2.3(2)

ip address inside 10.7.127.100 255.255.255.240

ip address NCI-DMZ 10.7.126.1 255.255.255.224

access-group acl_nci-dmz in interface NCI-DMZ

access-group acl_inside in interface inside

nameif vlan100 inside security100

nameif vlan15 NCI-DMZ security54

nat (inside) 0 0.0.0.0 0.0.0.0

nat (NCI-DMZ) 0 0.0.0.0 0.0.0.0

No static related to this.

access-list acl_nci-dmz extended permit tcp host 10.7.126.20 host 10.7.2.112 eq 8080 (hitcnt=0)

access-list acl_nci-dmz extended permit tcp host 10.7.126.21 host 10.7.2.112 eq 8080 (hitcnt=0)

ping inside 10.7.2.112

10.7.2.112 response received -- 0ms

ping NCI-DMZ 10.7.126.20

10.7.126.20 response received -- 0ms

Aug 14 13:36:33 FWSM-A %FWSM-3-106010: Deny inbound tcp src NCI-DMZ:10.7.126.20/64152 dst inside:10.7.2.112/8080

Aug 14 14:49:38 FWSM-A %FWSM-3-106010: Deny inbound tcp src NCI-DMZ:10.7.126.20/64851 dst inside:10.7.2.112/8080

Why is it getting denied? There are no outbound ACLs in FWSM and no denies before these lines that can block this traffic, just inbound ACLs on all interfaces. Opening ACL on source interface is enough to allow access.

This FWSM has many vlans as interfaces. Each has access-list of thousands of lines. What is the maximum size/lines of ACL that FWSM can handle? Is there any limitation? I suspect it as ACL lines are not downloaded in hardware.

Thanks