Access rule deleted issue.

smetieh001 — Tue, 12 Mar 2019 01:06:30 GMT

I was creating a static NAT for a web server to allow ICMP, HTTP and HTTPS through the firewall on an ASA5520 and exisitng firewall rule was deleted. Does any one know why this happened? see command below.

Name 203.x.x.x name1-ext

Name 192.x.x.x name2-int

static (inside, outside) 203.x.x.x 192.x.x.x netmask 255.255.255.255

Access-list outside_in extended permit icmp any host 203.x.x.x eq echo

Access-list outside_in extended permit tcp any host 203.x.x.x eq http

Access-list outside_in extended permit tcp any host 203.x.x.x eq https

access-group outside_in in interface outside

Some existing rules were deleted after the above command.

Your responses are highly appreciated

Re: Access rule deleted issue.

Jouni Forss — Wed, 27 Feb 2013 11:43:47 GMT

Hi,

Since you arent using any "no" form commands the only situation I can think of is the following

You already had an ACL on the "outside" interface but its NOT named "outside_in"
You configured the above ACL
You attached this new ACL to the "outside" interface and it removed the old ACL that was attached to the interface

So lets say you have the following

You originally have

access-list OUTSIDE-IN permit ip any host x.x.x.x

access-group OUTSIDE-IN in interface outside

Now you are planning on adding rules to the firewall from "outside"

You instead enter

access-list OUTSIDE-in permit ip any host y.y.y.y

access-group OUTSIDE-in in interface outside

This would mean that the previous ACL "OUTSIDE-IN" and its rule would be removed from use and the new ACL "OUTSIDE-in" (with different name would be taken into use)

Though normally when you create an ACL to an interface and attach it with the "access-group" command then theres no real reason to use the "access-group" command again in the future when adding simple ACL rules to an already existing ACL.

The commands you listed however dont delete any ACL rules otherwise. Only other option I can think of now would be that something went wrong with the NAT configuration.

Notice that if you use ASDM to configure Static NAT and insert that Static NAT between some rules the ASDM will actually tell the ASA to

Remove some Static NAT rules -> Insert new Static NAT rule -> Insert all the removed Static NAT rules back

This is because there is no line numbers in older software for NAT rules. They are gone through in the order they are configured. So this requires removing commands and inserting them again to change their order.

Hopefully the above was of some help

- Jouni

Access rule deleted issue.

smetieh001 — Fri, 01 Mar 2013 03:49:20 GMT

Hi Jouni,

Thanks your response was really helpful.

- SM

topic Access rule deleted issue. in Network Security

Access rule deleted issue.

Re: Access rule deleted issue.

Access rule deleted issue.