https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011532#M941350 <HTML><HEAD></HEAD><BODY><P>It seems your routing is not correct for the destination network:</P><P></P><P>Result: </P><P>input-interface: outside </P><P>output-interface: outside </P><P></P></BODY></HTML> Sat, 08 Mar 2008 00:01:19 GMT brettmilborrow 2008-03-08T00:01:19Z https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011529#M941344 <P>My ASA 5510 is intermittently denying access form my ISP's mail server to our internal SMTP gatway.</P><P></P><P>The acl applied to the outside interface of the firewall allows tcp any any to the smtp server on port 25. There is no access-list applied to inside interface. A packet trace yeilds the following result.</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW</P><P>Config:</P><P>static (inside,outside) 193.201.254.66 128.1.100.199 netmask 255.255.255.255 </P><P>nat-control</P><P> match ip inside host 128.1.100.199 outside any</P><P> static translation to 193.201.254.66</P><P> translate_hits = 1584262, untranslate_hits = 7749710</P><P>Additional Information:</P><P>NAT divert to egress interface inside</P><P>Untranslate 193.201.254.66/0 to 128.1.100.199/0 using netmask 255.255.255.255</P><P></P><P>Phase: 3</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in 0.0.0.0 0.0.0.0 outside</P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in id=0x47de0a0, priority=11, domain=permit, deny=true</P><P> hits=7928006, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0</P><P> src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P> dst ip=0.0.0.0, mask=0.0.0.0, port=0</P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P><P></P><P>The packet is being dropped by an implicit rule? Any ideas.</P> Mon, 11 Mar 2019 12:13:56 GMT https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011529#M941344 dasgill 2019-03-11T12:13:56Z https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011530#M941346 <HTML><HEAD></HEAD><BODY><P>Could you post your acl?</P><P></P><P>It should be...</P><P></P><P>access-list name extended permit tcp any host 193.201.254.66 eq 25</P></BODY></HTML> Fri, 07 Mar 2008 16:21:30 GMT https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011530#M941346 acomiskey 2008-03-07T16:21:30Z https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011531#M941349 <HTML><HEAD></HEAD><BODY><P>access-list outside_acl extended permit tcp any host 193.201.254.66 eq smtp </P><P>access-list outside_acl extended permit tcp any object-group web-servers object-group web-ports-tcp </P><P>access-list outside_acl extended permit tcp any object-group dmz-servers eq www </P></BODY></HTML> Fri, 07 Mar 2008 16:40:47 GMT https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011531#M941349 dasgill 2008-03-07T16:40:47Z https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011532#M941350 <HTML><HEAD></HEAD><BODY><P>It seems your routing is not correct for the destination network:</P><P></P><P>Result: </P><P>input-interface: outside </P><P>output-interface: outside </P><P></P></BODY></HTML> Sat, 08 Mar 2008 00:01:19 GMT https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011532#M941350 brettmilborrow 2008-03-08T00:01:19Z https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011533#M941351 <HTML><HEAD></HEAD><BODY><P>What version are you running? I'm getting the exact output your getting with a trace - looks like my issue could be related to bug ID CSCsj31537 however. </P></BODY></HTML> Tue, 11 Mar 2008 20:51:21 GMT https://community.cisco.com/t5/network-security/asa-5510-access-list-problem/m-p/1011533#M941351 valconix 2008-03-11T20:51:21Z