Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1598
Views
0
Helpful
6
Replies

Access denied by implicit rule

ghermocilla
Level 1
Level 1

‎02-19-2018 05:29 AM - edited ‎02-21-2020 07:22 AM

Hi,

 

I have a Cisco ASA 5525-X running version 9.5(3)9.

I encountered a kind of weird issue regarding access-list.

For what I know if you are coming from a higher security level going to low, you don't  need to explicitly put an access-list to allow access.

What happened to me is that my machines coming from the inside is denied by the implicit deny rule.

NAT is configured properly, every other config is fine. 

Anyone of you experienced this?

Labels:
0 Helpful
6 Replies 6

Krash Mole
Level 1
Level 1

‎02-19-2018 06:03 AM

Please share your configuration.

0 Helpful

ghermocilla
Level 1
Level 1
In response to Krash Mole

‎02-19-2018 10:54 PM

here's my config

interface GigabitEthernet0/0.27
nameif outside
security-level 0
ip address 172.16.1.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
object network Inside-NAT
host 172.16.1.10
!
object-group network Inside-PC
network-object 10.100.1.0 255.255.255.0
!
nat (inside,outside) source dynamic Inside-PC Inside-NAT

It should work right? default behavior of firewall is to allow a higher security level to lower,
even without explicitly having an access-list
0 Helpful

Ajay Saini
Level 7
Level 7

‎02-19-2018 09:25 PM

Hello,

 

If you can attach a packet-tracer output or syslogs, we can look into it.

 

For a start, acl drop does not always means "access-list". It could be due to a variety of reasons like connection timeout etc.

 

HTH
AJ

0 Helpful

ghermocilla
Level 1
Level 1
In response to Ajay Saini

‎02-19-2018 11:02 PM

packet-tracer.JPGthat's the result for packet tracer, its being dropped, that why i need to explicitly put an access list like this one:

access-list inside_access extended permit ip object-group Inside-PC any

0 Helpful

Ajay Saini
Level 7
Level 7
In response to ghermocilla

‎02-20-2018 12:06 AM

Hello,

 

Do you already have an access-group configured, can you attach following outputs:

 

show run access-group inside_access

 

show run access-list inside_access

 

Ideally, you should not require an access-list for traffic going from high security to low security interface.

-

HTH

AJ

0 Helpful

ciscoinfo
Level 1
Level 1
In response to Ajay Saini

‎02-26-2018 10:00 AM

Hi,

 

I am also facing something similar.

I have ASA 5545x series firewall running 9.8(2) version.

Even after configuring the interfaces into access-group. 

The acls are not getting hit.

Seems like the device is following the default behavior.

 

Any advice ? 

I think I am missing something.

Config :

 

interface Management0/0
description Management interface connected to Port 3.
speed 100
duplex full
management-only
nameif management
security-level 90
ip address 172.20.40.10 255.255.255.0 standby 172.20.40.11

 

access-group management_access_in in interface management

 

access-list management_access_in extended permit icmp any any
access-list management_access_in extended permit tcp any any

 

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card