https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3333614#M970357 <P>Please share your configuration.</P> Mon, 19 Feb 2018 14:03:11 GMT Krash Mole 2018-02-19T14:03:11Z https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3333579#M970356 <P>Hi,</P> <P>&nbsp;</P> <P>I have a Cisco ASA 5525-X running version&nbsp;9.5(3)9.</P> <P>I encountered a kind of weird issue regarding access-list.</P> <P>For what I know if you are coming from a higher security level going to low, you don't&nbsp; need to explicitly put an access-list to allow access.</P> <P>What happened to me is that my machines coming from the inside is denied by the implicit deny rule.</P> <P>NAT is configured properly, every other config is fine.&nbsp;</P> <P>Anyone of you experienced this?</P> Fri, 21 Feb 2020 15:22:21 GMT https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3333579#M970356 ghermocilla 2020-02-21T15:22:21Z https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3333614#M970357 <P>Please share your configuration.</P> Mon, 19 Feb 2018 14:03:11 GMT https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3333614#M970357 Krash Mole 2018-02-19T14:03:11Z https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3334029#M970358 <P>Hello,</P> <P>&nbsp;</P> <P>If you can attach a packet-tracer output or syslogs, we can look into it.</P> <P>&nbsp;</P> <P>For a start, acl drop does not always means "access-list". It could be due to a variety of reasons like connection timeout etc.</P> <P>&nbsp;</P> <P>HTH<BR />AJ</P> Tue, 20 Feb 2018 05:25:32 GMT https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3334029#M970358 Ajay Saini 2018-02-20T05:25:32Z https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3334059#M970448 here's my config<BR /><BR />interface GigabitEthernet0/0.27<BR /> nameif outside<BR /> security-level 0<BR /> ip address 172.16.1.3 255.255.255.0<BR />!<BR />interface GigabitEthernet0/1<BR /> nameif inside<BR /> security-level 100<BR /> ip address 192.168.1.10 255.255.255.0<BR />!<BR />object network Inside-NAT<BR /> host 172.16.1.10<BR />!<BR />object-group network Inside-PC<BR /> network-object 10.100.1.0 255.255.255.0<BR />!<BR />nat (inside,outside) source dynamic Inside-PC Inside-NAT<BR /><BR />It should work right? default behavior of firewall is to allow a higher security level to lower,<BR />even without explicitly having an access-list Tue, 20 Feb 2018 06:54:23 GMT https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3334059#M970448 ghermocilla 2018-02-20T06:54:23Z https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3334065#M970449 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="packet-tracer.JPG" style="width: 730px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/7791i93B75D1AD1A08D02/image-size/large?v=v2&amp;px=999" role="button" title="packet-tracer.JPG" alt="packet-tracer.JPG" /></span>that's the result for packet tracer, its being dropped, that why i need to explicitly put an access list like this one:</P> <P>access-list inside_access extended permit ip object-group Inside-PC any</P> Tue, 20 Feb 2018 07:02:45 GMT https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3334065#M970449 ghermocilla 2018-02-20T07:02:45Z https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3334089#M970450 <P>Hello,</P> <P>&nbsp;</P> <P>Do you already have an access-group configured, can you attach following outputs:</P> <P>&nbsp;</P> <P>show run access-group&nbsp;<SPAN>inside_access</SPAN></P> <P>&nbsp;</P> <P>show run access-list&nbsp;<SPAN>inside_access</SPAN></P> <P>&nbsp;</P> <P>Ideally, you should not require an access-list for traffic going from high security to low security interface.</P> <P>-</P> <P>HTH</P> <P>AJ</P> Tue, 20 Feb 2018 08:06:55 GMT https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3334089#M970450 Ajay Saini 2018-02-20T08:06:55Z https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3338074#M970451 <P>Hi,</P> <P>&nbsp;</P> <P>I am also facing something similar.</P> <P>I have ASA 5545x series firewall running 9.8(2) version.</P> <P>Even after configuring the interfaces into access-group.&nbsp;</P> <P>The acls are not getting hit.</P> <P>Seems like the device is following the default behavior.</P> <P>&nbsp;</P> <P>Any advice ?&nbsp;</P> <P>I think I am missing something.</P> <P>Config :</P> <P>&nbsp;</P> <P>interface Management0/0<BR /> description Management interface connected to Port 3.<BR /> speed 100<BR /> duplex full<BR /> management-only<BR /> nameif management<BR /> security-level 90<BR /> ip address 172.20.40.10 255.255.255.0 standby 172.20.40.11</P> <P>&nbsp;</P> <P>access-group management_access_in in interface management</P> <P>&nbsp;</P> <P>access-list management_access_in extended permit icmp any any<BR />access-list management_access_in extended permit tcp any any</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 26 Feb 2018 18:00:55 GMT https://community.cisco.com/t5/network-security/access-denied-by-implicit-rule/m-p/3338074#M970451 ciscoinfo 2018-02-26T18:00:55Z