I have a host on the outside i want to access
the problem is ASA 5505 has somehow blocked traffic to this host
i can find nothing in the shun list and there is no ACL rule stating that this specific host is blocked.
Where else can i check to see if it's blacklisted.
My home computer that is not behind any firewall easily access this host.
The host is also blocked from accessing the webpage behind my ASA
Also this website my home computer can access without any problems.
If you generate the traffic from inside to outside, you dont need ACL, and the ASA will know the returne traffic and allow that.
So you have something else that block it, can you ping that host from the firewall itself?
can you give more info about the network so we can help you?
i have 1 webserver behind the ASA and alot of client computers.
i have 2 ubuntu computers outside directly to the internet they both run ftp servers.
I have my home computer that is not behind ASA
The clients on the inside wants to access both ubuntu ftp servers
Ubuntu 1 works great no problems whatsoever traceroute,ping,ftp,http.
Ubuntu 2 gets timeout on ftp client and no response to ping, traceroute, http.
On my home computer i can access both ubuntu servers perfectly fine.
When i logon to the ubuntu computers and start firefox to try and access the webserver behind the ASA
Ubuntu 1 works fine and no problems at all.
Ubuntu 2 gets server not responding.
here is my show access-list
Pls kindly share the ASA configuration, as well as the IP Address of client on the inside that you are trying to access those 2 Ubuntu server, and also the IP Address of both servers.
Are you trying to access the server by IP Address or by FQDN?
running configuration at
trying to access server by ip and dns name
inside client ip is 192.168.1.34
banned host has 22.214.171.124
the ASA outside ip is 126.96.36.199
non blocked host has ip 188.8.131.52
Also tried accessing the http that is behind the ASA and that only works from 184.108.40.206 and the 220.127.116.11 gets ACL denied
|3||Nov 12 2012||16:14:46||710003||18.104.22.168||35168||22.214.171.124||80||TCP access denied by ACL from 126.96.36.199/35168 to inside:188.8.131.52/80|
Your class map has been incorrectly configured.
You are matching any traffic and inspect it against PPTP and FTP which is incorrect.
You should only match it against the default protocol and ports.
To make it easy, just use the default inspection policy as follows:
no service-policy global-policy-vpn global
service-policy global_policy global
Bsldurssonfw# clear xlate
INFO: 528 xlates deleted
Still no go
Packet tracer is sucessful
But still cannot access the host in question.
did a packet trace from inside 192.168.1.34 TCP 80
to 184.108.40.206 TCP 80
and it was "allowed"
If packet tracer is successful, then it is not issue on the ASA.
I would check the host itself.
Does it have dual NIC, or just the one NIC? is packet actually getting to it? and is it replying?
Are you able to ping the host from the ASA itself? Does the ASA have the correct ARP for that host?
the ASA is blocking it somehow.
i have remote control over the blocked host and if i open up a browser on it and surf to the ASA ip and i'm logging the connect attempt ASA logging is giving me this
|3||Nov 13 2012||13:32:01||710003||220.127.116.11||35293||18.104.22.168||80||TCP access denied by ACL from 22.214.171.124/35293 to inside:126.96.36.199/80|
on a computer not behind the ASA there is no problems getting to 188.8.131.52
but no clients behind the ASA can access it.
not sure what you mean by correct ARP host.
Done this also and no go.
it is only this ip 184.108.40.206 that is blocked in the ASA
another host 220.127.116.11 can access the www page behind the ASA without any problems.
If packet tracer is successful from and to 18.104.22.168, then it is unlikely it is an issue with the ASA.
If you change the ip address of the host to a different address, does it work? what is the default gateway of that host?