topic Re: Trouble with ACLs in Network Security

Trouble with ACLs

fncnet2005 — Mon, 11 Mar 2019 09:23:49 GMT

Hello all,

I have an ASA5510 running 7.2 and asdm 5.2.

I am trying to setup a Web server on the DMZ. I need it to be able to communicate with an internal mail server. I followed the example in the getting started guide, but am running into a problem. On the webserver, I am running NTP and what is happening is that the return packet to my webservers ntp queries are being dropped. Now my question, if the webserver on the DMZ initiates comms with the outside, shouldn't the return packets be allowed, or will I have to edit the acl to explicitely allow the return packets? Furthermore, there is is only "incoming" and "outgoing" in ASDM. Where is the "established"?

Re: Trouble with ACLs

acomiskey — Tue, 23 Jan 2007 21:09:59 GMT

What do your acl's look like?

If you created an acl "in interface DMZ" you will have to permit everything you want to go outbound, including udp 123 (ntp) before the explicit deny any any at the end of the acl.

Most likely the asa is not blocking the return traffic, it is probably blocking traffic into DMZ interface, as it is stateful and does not need "established" keyword.

Re: Trouble with ACLs

fncnet2005 — Wed, 24 Jan 2007 02:33:20 GMT

My bad. That is exactly what was happening. I did not explicitly allow the traffic out. Thanks for your help.