Basic firewall config, yet blocking packets.

tylerhall — Mon, 11 Mar 2019 23:12:15 GMT

This is a brand new config, there's nothing on it. I'm just trying to get packets to reach it, but it says it's being denied:

%ASA-3-710003: TCP access denied by ACL from 72.201.89.xx/23910 to outside:64.38.xxx.xx/80

I don't have a web server running on it, I'm just trying random ports to see if it'll go through before I start digging into my VPN issue.

Here is the config, allowing everything inbound/outbound:

vpn# show run

: Saved

ASA Version 8.2(5)

hostname vpn

domain-name xxx.net

enable password xxx encrypted

passwd xxx encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 10.0.16.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 64.38.x.x 255.255.255.192

ftp mode passive

dns server-group DefaultDNS

domain-name xxx

access-list OUTBOUND extended permit ip any any

access-list INBOUND extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group OUTBOUND in interface inside

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 64.38.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

What is making it deny all inbound packets?

Basic firewall config, yet blocking packets.

Julio Carvajal — Sat, 26 May 2012 22:22:45 GMT

Hello Tyler,

In ording to allow a packet from a lower security level to a higher security level on a version with nat-control enable you need:

1- A bidirectional translation ( Static one to one, Nat 0 with ACL)

2- An ACL allowing the traffic.

In this case you are missing the first one.

Regards,

Julio

Rate all the helpful posts

Basic firewall config, yet blocking packets.

varrao — Sat, 26 May 2012 22:25:00 GMT

Hi Tyler,

Wat exactly are you trying to access, is it the outside interafce of the ASA?? If it is any other IP address in the same subnet that your isp has provided, then you would need to plug a host on the inside interface and do static nat for it, then only you would get a response for random ports on it.

Try this:

plug a host on the inside interface, assign an ip, lets say 10.0.16.2, then you would need the static:

static (inside,outside) 64.38.xx.xx 10.0.16.2

Then try the connection, it should then show you everything opened.

Thanks,
Varun Rao
Security Team,
Cisco TAC

topic Basic firewall config, yet blocking packets. in Network Security

Basic firewall config, yet blocking packets.

Basic firewall config, yet blocking packets.

Basic firewall config, yet blocking packets.