cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

543
Views
0
Helpful
6
Replies
Highlighted
Beginner

Access denied by implicit rule

Hi,

 

I have a Cisco ASA 5525-X running version 9.5(3)9.

I encountered a kind of weird issue regarding access-list.

For what I know if you are coming from a higher security level going to low, you don't  need to explicitly put an access-list to allow access.

What happened to me is that my machines coming from the inside is denied by the implicit deny rule.

NAT is configured properly, every other config is fine. 

Anyone of you experienced this?

6 REPLIES 6
Highlighted
Beginner

Please share your configuration.

Highlighted

here's my config

interface GigabitEthernet0/0.27
nameif outside
security-level 0
ip address 172.16.1.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
object network Inside-NAT
host 172.16.1.10
!
object-group network Inside-PC
network-object 10.100.1.0 255.255.255.0
!
nat (inside,outside) source dynamic Inside-PC Inside-NAT

It should work right? default behavior of firewall is to allow a higher security level to lower,
even without explicitly having an access-list
Highlighted
Rising star

Hello,

 

If you can attach a packet-tracer output or syslogs, we can look into it.

 

For a start, acl drop does not always means "access-list". It could be due to a variety of reasons like connection timeout etc.

 

HTH
AJ

Highlighted

packet-tracer.JPGthat's the result for packet tracer, its being dropped, that why i need to explicitly put an access list like this one:

access-list inside_access extended permit ip object-group Inside-PC any

Highlighted

Hello,

 

Do you already have an access-group configured, can you attach following outputs:

 

show run access-group inside_access

 

show run access-list inside_access

 

Ideally, you should not require an access-list for traffic going from high security to low security interface.

-

HTH

AJ

Highlighted

Hi,

 

I am also facing something similar.

I have ASA 5545x series firewall running 9.8(2) version.

Even after configuring the interfaces into access-group. 

The acls are not getting hit.

Seems like the device is following the default behavior.

 

Any advice ? 

I think I am missing something.

Config :

 

interface Management0/0
description Management interface connected to Port 3.
speed 100
duplex full
management-only
nameif management
security-level 90
ip address 172.20.40.10 255.255.255.0 standby 172.20.40.11

 

access-group management_access_in in interface management

 

access-list management_access_in extended permit icmp any any
access-list management_access_in extended permit tcp any any

 

 

 

 

 

Content for Community-Ad