https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482009#M654061 <HTML><HEAD></HEAD><BODY><P>Which internal hosts will the security company need to access, and on which ports?&nbsp; If it needs to access the internal host 192.168.11.2 on ports 80,443 and host 192.168.11.5 on port 25, then the following commands provided by the previous poster should allow this:</P><P></P><P>nat (inside,outside) source static in_1 interface service Web Web<BR />nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb<BR />nat (inside,outside) source static in_2 interface service SMTP SMTP</P><P></P><P>access-list outside_access_in permit tcp any interface outside eq 80<BR />access-list outside_access_in permit tcp any interface outside eq 443<BR />access-list outside_access_in permit tcp any interface outside eq 25</P><P></P><P>access-group outside_access_in in interface outside</P></BODY></HTML> Thu, 22 Jul 2010 17:45:01 GMT Allen P Chen 2010-07-22T17:45:01Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482004#M654051 <P> message removed.</P> Mon, 11 Mar 2019 18:14:06 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482004#M654051 egrundlehner 2019-03-11T18:14:06Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482005#M654052 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Please try the config below:</P><P></P><P>object service Web<BR /> service tcp source eq www</P><P></P><P>object service SecureWeb<BR /> service tcp source eq https</P><P></P><P>object service SMTP<BR /> service tcp source eq SMTP</P><P></P><P>object network out_1<BR /> host 1.1.1.1</P><P></P><P>object network in_1<BR /> host 192.168.11.2</P><P></P><P>object network in_2<BR /> host 192.168.11.5</P><P></P><P>nat (inside,outside) source static in_1 interface service Web Web<BR />nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb<BR />nat (inside,outside) source static in_2 interface service SMTP SMTP</P><P></P><P>access-list outside_access_in permit tcp any interface outside eq 80<BR />access-list outside_access_in permit tcp any interface outside eq 443<BR />access-list outside_access_in permit tcp any interface outside eq 25</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Wed, 21 Jul 2010 03:49:34 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482005#M654052 Nagaraja Thanthry 2010-07-21T03:49:34Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482006#M654054 <HTML><HEAD></HEAD><BODY><P>Will traffic from the DMZ be PAT'ed to the outside interface as well?&nbsp; If so, you will need a corresponding NAT statement for this:</P><P></P><P>object network obj_10.0.0.0</P><P> subnet 10.0.0.0 255.255.255.0</P><P> nat (dmz,outside) dynamic interface</P><P></P><P>The above will allow all traffic from 10.0.0.0/24 behind the DMZ interface to be PAT'ed to the outside interface IP address (1.1.1.1) when making an outbound connection.</P><P></P><P>Hope this helps.</P></BODY></HTML> Wed, 21 Jul 2010 07:02:44 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482006#M654054 Allen P Chen 2010-07-21T07:02:44Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482007#M654057 <HTML><HEAD></HEAD><BODY><P>Thanks! I'm going to test this now. How do I allow a range of Ip's to hit our firewall for PCI testing. A security company we use needs to be able to hit the firewall to test. In our Watchguard this was called an exception list.</P></BODY></HTML> Thu, 22 Jul 2010 17:36:54 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482007#M654057 egrundlehner 2010-07-22T17:36:54Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482008#M654059 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You can add entries to the outside access-list.</P><P></P><P>Access-list outside_access_in permit ip host any</P><P></P><P>Hope this helps.</P><P></P><P>Regards,</P><P></P><P>NT</P></BODY></HTML> Thu, 22 Jul 2010 17:42:48 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482008#M654059 Nagaraja Thanthry 2010-07-22T17:42:48Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482009#M654061 <HTML><HEAD></HEAD><BODY><P>Which internal hosts will the security company need to access, and on which ports?&nbsp; If it needs to access the internal host 192.168.11.2 on ports 80,443 and host 192.168.11.5 on port 25, then the following commands provided by the previous poster should allow this:</P><P></P><P>nat (inside,outside) source static in_1 interface service Web Web<BR />nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb<BR />nat (inside,outside) source static in_2 interface service SMTP SMTP</P><P></P><P>access-list outside_access_in permit tcp any interface outside eq 80<BR />access-list outside_access_in permit tcp any interface outside eq 443<BR />access-list outside_access_in permit tcp any interface outside eq 25</P><P></P><P>access-group outside_access_in in interface outside</P></BODY></HTML> Thu, 22 Jul 2010 17:45:01 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482009#M654061 Allen P Chen 2010-07-22T17:45:01Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482010#M654063 <HTML><HEAD></HEAD><BODY><P>They actually test agains tthe firewall. So i'm assuming they just need icmp on the outside inteface turned on.</P></BODY></HTML> Thu, 22 Jul 2010 18:01:38 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482010#M654063 egrundlehner 2010-07-22T18:01:38Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482011#M654065 <HTML><HEAD></HEAD><BODY><P>message removed</P></BODY></HTML> Thu, 22 Jul 2010 18:46:05 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482011#M654065 egrundlehner 2010-07-22T18:46:05Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482012#M654068 <HTML><HEAD></HEAD><BODY><P>Can you try removing this line?</P><P></P><P>nat (inside,outside) source dynamic any interface</P><P></P><P>I think this NAT rule is taking precedence instead of the static PATs you've configured.&nbsp; You can then configure dynamic PAT for inside hosts going out as follows:</P><P></P><P>object network obj_192.168.11.0</P><P> subnet 192.168.11.0 255.255.255.0</P><P> nat (inside,outside) dynamic interface</P><P></P><P>Issue "clear local-host" and try testing again.</P></BODY></HTML> Thu, 22 Jul 2010 18:52:50 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482012#M654068 Allen P Chen 2010-07-22T18:52:50Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482013#M654071 <HTML><HEAD></HEAD><BODY><P>Still does not work. This is what shows in the logs.</P><P></P><P>Can you call or email me off the boards</P><P></P><P><TABLE><TBODY><TR><TD>4</TD><TD>Jul 22 2010</TD><TD>19:01:10</TD><TD>106023</TD><TD>208.85.196.73</TD><TD>2233</TD><TD>192.168.11.2</TD><TD>443</TD><TD>Deny tcp src outside:1.1.1.1./2233 dst inside:192.168.11.2/443 by access-group "outside_access_in" [0x0, 0x0]</TD></TR></TBODY></TABLE></P></BODY></HTML> Thu, 22 Jul 2010 18:59:08 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482013#M654071 egrundlehner 2010-07-22T18:59:08Z https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482014#M654076 <HTML><HEAD></HEAD><BODY><P>Also, 8.3 uses the real IP address in the ACLs, so please try changing the ACL as follows.&nbsp; Sorry I missed it earlier:</P><P></P><P>no access-list outside_access_in extended permit tcp any interface outside eq www <BR />no access-list outside_access_in extended permit tcp any interface outside eq https <BR />no access-list outside_access_in extended permit tcp any interface outside eq smtp</P><P></P><P>access-list outside_access_in extended permit tcp any host 192.168.11.2 eq www <BR />access-list outside_access_in extended permit tcp any host 192.168.11.2 eq https <BR />access-list outside_access_in extended permit tcp any host 192.168.11.5 eq smtp</P><P></P><P>access-group outside_access_in in interface outside</P></BODY></HTML> Thu, 22 Jul 2010 18:59:52 GMT https://community.cisco.com/t5/network-security/asa-5505-8-3-acl-dropping-packet-please-help/m-p/1482014#M654076 Allen P Chen 2010-07-22T18:59:52Z