ACL deny but permit rule exists!

handsy · ‎02-06-2015

I'm trying to get my VMware vCenter server to add a host on another network. I have applied a rule on my ASA with all the known TCP/UDP ports that vCenter uses.

vCenter lets me add the host but it disconnects almost immediately, and at that moment I see an ACL deny on my firewall as follows:

access-list outside-in denied tcp outside/10.72.210.118(5989) -> inside/10.167.253.21(60656)

..yet, I have the following rule on my ASA:

access-list outside-in line 59 extended permit tcp 10.72.210.0 255.255.255.0 host 10.167.253.21 eq 5989

This makes absolutely no sense to me and I'm stumped :(

Sam Jones · ‎02-06-2015

Handsy,

These are the ports we allow through to add and manage a VMware host on a different network.

{VCenter IP} -> {VMware Host IP} {tcp/902, tcp/5989, tcp/443, tcp/27010, tcp/27000}
{VMware Host IP} -> {VCenter IP} {tcp/udp 902, tcp/udp 514, tcp 9084}

Jon Marshall · ‎02-07-2015

Your acl line needs rewriting ie. -

access-list outside-in permit tcp 10.72.210.0 255.255.255.0 eq 5989 host 10.167.253.21

Jon