access-list inside-access-in denied tcp Inside/10.120.102.40(8089) on ASA5520

rjay.ward · ‎10-07-2014

This is the syslog error message I get when i am trying to access a corporate server on port 1521 from my host machine
Sep 26 18:41:26 10.0.5.4 local4:info Sep 26 2014 18:41:25: %ASA-6-106100: access-list inside-access-in denied tcp Inside/10.120.102.40(8089)

The 10.120.102.40 is a splunk server.
Sort of a newbie to ASA firewall.
Made the changes on the firewall in inside-access-in; checked the ACLs in my router too; Keep getting the same error message even after the changes.
Suggestions folks?.

Thanks,
Arjun

Jouni Forss · ‎10-07-2014

Hi,

Is that the full log message? Seems kind of strange or missing part of the information.

Can you share with us the output of the following commands

show run access-list inside-access-in

Or if you are using "object-group" in the ACL

show access-list inside-access-in

And also the following

show run access-group

- Jouni

rc001g0241 · ‎03-23-2015

I had a similar issue with a similar syntax.

access-list inside_access_in denied tcp inside/10.1.1.1(51479) -> internal/10.2.2.2(37782) hit-cnt 2 300-second interval [0xdfee5926, 0x842aed20]

It turned out the range allowed in the rule was not including all of the random high ports the server needed (exchange). Original was 49152 to 65535 and we changed it to 1024 to 65535. I know this seems exaggerated but exchange is quite needy.

Seems like the random port was falling out of the range in the middle of the session and was not showing as a "normal" denied port.

Hope this helps somebody.

Cheers

V