This is something strange, details...
FWSM Firewall Version 2.3(2)
ip address inside 10.7.127.100 255.255.255.240
ip address NCI-DMZ 10.7.126.1 255.255.255.224
access-group acl_nci-dmz in interface NCI-DMZ
access-group acl_inside in interface inside
nameif vlan100 inside security100
nameif vlan15 NCI-DMZ security54
nat (inside) 0 0.0.0.0 0.0.0.0
nat (NCI-DMZ) 0 0.0.0.0 0.0.0.0
No static related to this.
access-list acl_nci-dmz extended permit tcp host 10.7.126.20 host 10.7.2.112 eq 8080 (hitcnt=0)
access-list acl_nci-dmz extended permit tcp host 10.7.126.21 host 10.7.2.112 eq 8080 (hitcnt=0)
ping inside 10.7.2.112
10.7.2.112 response received -- 0ms
ping NCI-DMZ 10.7.126.20
10.7.126.20 response received -- 0ms
Aug 14 13:36:33 FWSM-A %FWSM-3-106010: Deny inbound tcp src NCI-DMZ:10.7.126.20/64152 dst inside:10.7.2.112/8080
Aug 14 14:49:38 FWSM-A %FWSM-3-106010: Deny inbound tcp src NCI-DMZ:10.7.126.20/64851 dst inside:10.7.2.112/8080
Why is it getting denied? There are no outbound ACLs in FWSM and no denies before these lines that can block this traffic, just inbound ACLs on all interfaces. Opening ACL on source interface is enough to allow access.
This FWSM has many vlans as interfaces. Each has access-list of thousands of lines. What is the maximum size/lines of ACL that FWSM can handle? Is there any limitation? I suspect it as ACL lines are not downloaded in hardware.
Thanks