Access denied by implicit rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2018 05:29 AM - edited 02-21-2020 07:22 AM
Hi,
I have a Cisco ASA 5525-X running version 9.5(3)9.
I encountered a kind of weird issue regarding access-list.
For what I know if you are coming from a higher security level going to low, you don't need to explicitly put an access-list to allow access.
What happened to me is that my machines coming from the inside is denied by the implicit deny rule.
NAT is configured properly, every other config is fine.
Anyone of you experienced this?
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2018 06:03 AM
Please share your configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2018 10:54 PM
interface GigabitEthernet0/0.27
nameif outside
security-level 0
ip address 172.16.1.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
object network Inside-NAT
host 172.16.1.10
!
object-group network Inside-PC
network-object 10.100.1.0 255.255.255.0
!
nat (inside,outside) source dynamic Inside-PC Inside-NAT
It should work right? default behavior of firewall is to allow a higher security level to lower,
even without explicitly having an access-list
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2018 09:25 PM
Hello,
If you can attach a packet-tracer output or syslogs, we can look into it.
For a start, acl drop does not always means "access-list". It could be due to a variety of reasons like connection timeout etc.
HTH
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2018 11:02 PM
that's the result for packet tracer, its being dropped, that why i need to explicitly put an access list like this one:
access-list inside_access extended permit ip object-group Inside-PC any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2018 12:06 AM
Hello,
Do you already have an access-group configured, can you attach following outputs:
show run access-group inside_access
show run access-list inside_access
Ideally, you should not require an access-list for traffic going from high security to low security interface.
-
HTH
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2018 10:00 AM
Hi,
I am also facing something similar.
I have ASA 5545x series firewall running 9.8(2) version.
Even after configuring the interfaces into access-group.
The acls are not getting hit.
Seems like the device is following the default behavior.
Any advice ?
I think I am missing something.
Config :
interface Management0/0
description Management interface connected to Port 3.
speed 100
duplex full
management-only
nameif management
security-level 90
ip address 172.20.40.10 255.255.255.0 standby 172.20.40.11
access-group management_access_in in interface management
access-list management_access_in extended permit icmp any any
access-list management_access_in extended permit tcp any any
