Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
2
Replies

Access rule deleted issue.

Go to solution
smetieh001
Level 1
Level 1

‎02-27-2013 03:08 AM - edited ‎03-11-2019 06:06 PM

Hi

I was creating a static NAT for a web server to allow ICMP, HTTP and HTTPS through the firewall on an ASA5520 and exisitng firewall rule was deleted. Does any one know why this happened?  see command below.

Name 203.x.x.x  name1-ext

Name 192.x.x.x name2-int

static (inside, outside) 203.x.x.x 192.x.x.x netmask 255.255.255.255

Access-list outside_in extended permit icmp any host 203.x.x.x eq echo

Access-list outside_in extended permit tcp any host 203.x.x.x eq http

Access-list outside_in extended permit tcp any host 203.x.x.x eq https

access-group outside_in in interface outside

Some existing rules were deleted after the above command.

Your responses are highly appreciated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-27-2013 03:43 AM

Hi,

Since you arent using any "no" form commands the only situation I can think of is the following

  • You already had an ACL on the "outside" interface but its NOT named "outside_in"
  • You configured the above ACL
  • You attached this new ACL to the "outside" interface and it removed the old ACL that was attached to the interface

So lets say you have the following

You originally have

access-list OUTSIDE-IN permit ip any host x.x.x.x

access-group OUTSIDE-IN in interface outside

Now you are planning on adding rules to the firewall from "outside"

You instead enter

access-list OUTSIDE-in permit ip any host y.y.y.y

access-group OUTSIDE-in in interface outside

This would mean that the previous ACL "OUTSIDE-IN" and its rule would be removed from use and the new ACL "OUTSIDE-in" (with different name would be taken into use)

Though normally when you create an ACL to an interface and attach it with the "access-group" command then theres no real reason to use the "access-group" command again in the future when adding simple ACL rules to an already existing ACL.

The commands you listed however dont delete any ACL rules otherwise. Only other option I can think of now would be that something went wrong with the NAT configuration.

Notice that if you use ASDM to configure Static NAT and insert that Static NAT between some rules the ASDM will actually tell the ASA to

Remove some Static NAT rules -> Insert new Static NAT rule -> Insert all the removed Static NAT rules back

This is because there is no line numbers in older software for NAT rules. They are gone through in the order they are configured. So this requires removing commands and inserting them again to change their order.

Hopefully the above was of some help

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-27-2013 03:43 AM

Hi,

Since you arent using any "no" form commands the only situation I can think of is the following

  • You already had an ACL on the "outside" interface but its NOT named "outside_in"
  • You configured the above ACL
  • You attached this new ACL to the "outside" interface and it removed the old ACL that was attached to the interface

So lets say you have the following

You originally have

access-list OUTSIDE-IN permit ip any host x.x.x.x

access-group OUTSIDE-IN in interface outside

Now you are planning on adding rules to the firewall from "outside"

You instead enter

access-list OUTSIDE-in permit ip any host y.y.y.y

access-group OUTSIDE-in in interface outside

This would mean that the previous ACL "OUTSIDE-IN" and its rule would be removed from use and the new ACL "OUTSIDE-in" (with different name would be taken into use)

Though normally when you create an ACL to an interface and attach it with the "access-group" command then theres no real reason to use the "access-group" command again in the future when adding simple ACL rules to an already existing ACL.

The commands you listed however dont delete any ACL rules otherwise. Only other option I can think of now would be that something went wrong with the NAT configuration.

Notice that if you use ASDM to configure Static NAT and insert that Static NAT between some rules the ASDM will actually tell the ASA to

Remove some Static NAT rules -> Insert new Static NAT rule -> Insert all the removed Static NAT rules back

This is because there is no line numbers in older software for NAT rules. They are gone through in the order they are configured. So this requires removing commands and inserting them again to change their order.

Hopefully the above was of some help

- Jouni

0 Helpful

Go to solution
smetieh001
Level 1
Level 1
In response to Jouni Forss

‎02-28-2013 07:49 PM

Hi Jouni,

Thanks your response was really helpful.

- SM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card