https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122293#M394953 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you want to leave the "deny ip any any" ACL rule there, then yes, you can just move the 2 rules before that "deny" rule and those should work.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 29 Nov 2012 16:58:18 GMT Jouni Forss 2012-11-29T16:58:18Z https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122289#M394916 <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Hello,</P><P></P><P>I'm trying to configure my Cisco ASA firewall to allow outside access to my new webserver which is hosting inside the company network.</P><P></P><P>The number 47 &amp; 48 from image below are my new access rules.</P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/5/1/3/116315-1.jpg" alt="1.jpg" class="jive-image-thumbnail jive-image" width="450" /></P><P></P><P>From ouside I can ping to it by using name or IP but when I try to access the website using web browser, I got the page can't display. Yes, my web page is working fine when access using internal network.</P><P></P><P>When I replace the Destination on #35 with #47 (replace TTCHR2Outside with Dealer.Nittotire) then I can access the website from outside OK.</P><P></P><P>Would anyone please tell me what I did wrong and how to fix it.</P><P></P><P></P><P>Thanks inadvance.</P> Tue, 12 Mar 2019 00:30:03 GMT https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122289#M394916 Minh Vu 2019-03-12T00:30:03Z https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122290#M394927 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Line 39 has a rule that blocks ALL TCP/UDP traffic from "any" to "any"</P><P></P><P>As you can see, no rule after line 39 has even gotten 1 hitcount.</P><P></P><P>You need to remove the current line 39 configuration for any of the latter ones to apply.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 29 Nov 2012 16:51:26 GMT https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122290#M394927 Jouni Forss 2012-11-29T16:51:26Z https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122291#M394932 <HTML><HEAD></HEAD><BODY><P> JouniForss,</P><P></P><P>Thank you for your quick reply.</P><P></P><P>Can I just move line 47 &amp; 48 up to before 39 without removing 39?</P></BODY></HTML> Thu, 29 Nov 2012 16:54:58 GMT https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122291#M394932 Minh Vu 2012-11-29T16:54:58Z https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122292#M394943 <HTML><HEAD></HEAD><BODY><P>Also,</P><P></P><P>Remember that every single ACL ends with an "Implicit Deny" (I guess it should show on ASDM side) which basically blocks all the traffic that hasnt matched any previous ACL rule line.</P><P></P><P>Making a Deny rule in the middle of an ACL only makes sense when you specily a network/host address regarding either the source or destination of the traffic.</P><P></P><P></P><P>"deny ip any any" doesnt make any sense in the middle of an ACL as it makes the lines after that useless.</P></BODY></HTML> Thu, 29 Nov 2012 16:55:51 GMT https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122292#M394943 Jouni Forss 2012-11-29T16:55:51Z https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122293#M394953 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you want to leave the "deny ip any any" ACL rule there, then yes, you can just move the 2 rules before that "deny" rule and those should work.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 29 Nov 2012 16:58:18 GMT https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122293#M394953 Jouni Forss 2012-11-29T16:58:18Z https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122294#M394960 <HTML><HEAD></HEAD><BODY><P> So, any line below "Deny" will be blocked, right?</P></BODY></HTML> Thu, 29 Nov 2012 16:58:51 GMT https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122294#M394960 Minh Vu 2012-11-29T16:58:51Z https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122295#M394966 <HTML><HEAD></HEAD><BODY><P> Thank you very much for your quick answer on this matter, yes, I am able to acces my website from outside now.</P><P></P><P>Thanks again.</P></BODY></HTML> Thu, 29 Nov 2012 17:00:26 GMT https://community.cisco.com/t5/network-security/cannot-create-new-rule-on-asa-help-help/m-p/2122295#M394966 Minh Vu 2012-11-29T17:00:26Z