12-09-2008 12:42 PM - edited 03-11-2019 07:23 AM
I have an FWSM that is denying traffic when there is explicit permits in the access-list that is applied to the interface. I have included the relevent config and log information. Does anyone have any ideas?
access-group police in interface police
interface police
ip address police 192.168.253.1 255.255.255.0 standby 192.168.253.2
access-list police remark ***Access to VPN
access-list police extended permit ip any any
access-list police extended permit udp any any
access-list police extended permit esp any any
access-list police extended permit tcp any any
static (inside,police) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (police,inside) policenet policenet netmask 255.255.255.0
name 192.168.253.3 police1
name 192.168.253.4 police2
name 192.168.253.5 police3
name 192.168.253.0 policenet
name x.x.x.x policevpn
name x.x.x.x policevpn2
Dec 09 2008 15:26:29: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn2/5008
Dec 09 2008 15:26:30: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn/5008
Dec 09 2008 15:26:37: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn/5008
Dec 09 2008 15:26:45: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn2/5008
Dec 09 2008 15:26:45: %FWSM-3-106010: Deny inbound udp src police:police1/1040 dst inside:policevpn2/5008
10-01-2009 04:34 PM
Same thing here on a FWSM running version 4.0(6)
! START
!
interface Vlan400
nameif app-tier
security-level 90
ip address 192.168.50.1 255.255.255.0
!
interface Vlan800
nameif database-tier
security-level 95
ip address 192.168.100.1 255.255.255.0
!
access-list app-tier_acl extended permit icmp any any
access-list app-tier_acl extended permit ip 192.168.50.0 255.255.255.0 192.168.100.0 255.255.255.0 any
access-list app-tier_acl extended deny ip 192.168.50.0 255.255.255.0 any
!
access-group app-tier_acl in interface app-tier
!
static (app-tier,database-tier) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
!
! END
%FWSM-3-106010: Deny inbound tcp src app-tier:192.168.50.23/3430 dst database-tier:192.168.100.4
10-01-2009 04:48 PM
Interesting. I was able to fix this by disabling NAT Control. However, with the static rule in place, that should not have been neccessary.
05-24-2012 02:20 AM
Hi ,
Identity static nat would resolve it.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide