I have a Cisco ASA 5525-X running version 9.5(3)9.
I encountered a kind of weird issue regarding access-list.
For what I know if you are coming from a higher security level going to low, you don't need to explicitly put an access-list to allow access.
What happened to me is that my machines coming from the inside is denied by the implicit deny rule.
NAT is configured properly, every other config is fine.
Anyone of you experienced this?
If you can attach a packet-tracer output or syslogs, we can look into it.
For a start, acl drop does not always means "access-list". It could be due to a variety of reasons like connection timeout etc.
that's the result for packet tracer, its being dropped, that why i need to explicitly put an access list like this one:
access-list inside_access extended permit ip object-group Inside-PC any
Do you already have an access-group configured, can you attach following outputs:
show run access-group inside_access
show run access-list inside_access
Ideally, you should not require an access-list for traffic going from high security to low security interface.
I am also facing something similar.
I have ASA 5545x series firewall running 9.8(2) version.
Even after configuring the interfaces into access-group.
The acls are not getting hit.
Seems like the device is following the default behavior.
Any advice ?
I think I am missing something.
description Management interface connected to Port 3.
ip address 172.20.40.10 255.255.255.0 standby 172.20.40.11
access-group management_access_in in interface management
access-list management_access_in extended permit icmp any any
access-list management_access_in extended permit tcp any any