https://community.cisco.com/t5/network-security/acl-drop-on-outside-interfce/m-p/2604282#M198179 <P>I see.</P><P>Do you think this is the issue?</P><P>For how long does the issue remains?</P><P>Can you please a capture and verify the source mac address? I would like to know who is sending the traffic back to the ASA.</P><P>&nbsp;</P> Mon, 05 Jan 2015 23:15:35 GMT Maykol Rojas 2015-01-05T23:15:35Z https://community.cisco.com/t5/network-security/acl-drop-on-outside-interfce/m-p/2604281#M198178 <P>I have a ASA 5515X running 8.6 code</P><P>&nbsp;</P><P>On my internal network, I have a couple subnets that connect through the ASA to the Internet. I also have&nbsp; DMZ with some servers on it that are reachable from the Internet.</P><P>&nbsp;</P><P>These internal subnets are off different interfaces on the ASA, and my NAT rules are set up like this</P><P>&nbsp;</P><P>object-group network DEFAULT-PAT-SOURCE<BR />network-object object obj-172.25.36.30<BR />network-object object obj-192.168.221.0<BR />network-object object obj-172.23.120.250<BR />&nbsp;<BR />nat (Guestnet,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface<BR />nat (NETWORK2,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface</P><P>&nbsp;</P><P>interface GigabitEthernet0/2<BR />description Guestnet<BR />nameif Guestnet<BR />security-level 50<BR />ip address 192.168.221.4 255.255.255.0</P><P>&nbsp;</P><P>interface GigabitEthernet0/5<BR />nameif NETWORK2<BR />security-level 50<BR />ip address 172.23.120.129 255.255.255.128</P><P>&nbsp;</P><P>There is an ACL applied to the outside interface.</P><P>&nbsp;</P><P>Periodically, I have had an issue where the outbound/inbound traffic slows to a crawl on the Guestnet network, and I see a weird message in the logs.</P><P>&nbsp;</P><P>Jan 05 2015 07:30:40: %ASA-3-710003: TCP access denied by ACL from 192.168.221.51/52108 to Guestnet:&lt;outside interface IP&gt;/80<BR />Jan 05 2015 07:30:40: %ASA-3-710003: TCP access denied by ACL from 192.168.221.51/52106 to Guestnet:&lt;outside interface IP&gt;/443</P><P>&nbsp;</P><P>Why does the ASA think traffic is coming inbound from an IP that is on the internal network? (the Guestnet network). It is almost like a spoofing situation, but the IP 192.168.221.51 was my laptop IP I was testing from.</P><P>&nbsp;</P><P>Is there something wrong with this configuration? What could be the issue?</P><P>&nbsp;</P> Tue, 12 Mar 2019 05:18:07 GMT https://community.cisco.com/t5/network-security/acl-drop-on-outside-interfce/m-p/2604281#M198178 Colin Higgins 2019-03-12T05:18:07Z https://community.cisco.com/t5/network-security/acl-drop-on-outside-interfce/m-p/2604282#M198179 <P>I see.</P><P>Do you think this is the issue?</P><P>For how long does the issue remains?</P><P>Can you please a capture and verify the source mac address? I would like to know who is sending the traffic back to the ASA.</P><P>&nbsp;</P> Mon, 05 Jan 2015 23:15:35 GMT https://community.cisco.com/t5/network-security/acl-drop-on-outside-interfce/m-p/2604282#M198179 Maykol Rojas 2015-01-05T23:15:35Z