ACL Issue on 5512-X

petenixon · ‎05-22-2015

Hi guys,

I got a problem accessing a 5512-X via ASDM as the return traffic is being dropped on the firewall but I can't work out why.

I have a global permit enabled on the ASA, as well is permits in/out on the interface but the packet-tracer shows dropped due to an implicit rule. Can someone take a look at the below and see if they can spot what I can't?

Config:

int gi0/1.216
vlan 216
nameif inside-mgmt
security-level 100
ip address 10.44.163.164 255.255.255.248

route inside-mgmt 0 0 10.44.163.166

same-security-traffic permit intra-interface
same-security-traffic permit inter-interface

access-list TEMP-RULE extended permit ip any any

access-group TEMP-RULE in interface inside-mgmt
access-group TEMP-RULE out interface inside-mgmt
access-group TEMP-RULE global

Output from packet-trace:

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2625340, priority=500, domain=permit, deny=true
hits=18, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.44.163.164, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside-mgmt, output_ifc=any

Suggestions are always welcome!

Cheers,

Pete.

Vibhor Amrodia · ‎05-23-2015

Hi,

When you are trying to access the ASDM on the ASA device , it will never be blocked by the Interface ACL but only by the control-plane ACL.

can you post this configuration from the ASA device:-

show run http >> You would need to add your client ip here using the "http ..." command

show run asdm

Thanks and Regards,

Vibhor Amrodia