It still seems to me that the above mentioned ACL is blocking these connections.
There is first an ACL check at the Phase 3 which to my understanding might now be the Global ACL.
Then we see the ACL check again at Phase 6 and I think this is the above mentioned ACL that is attached to the "Internal" interface in the "out" direction. So it would basically check connections that are formed towards the networks behind "Internal".
The reason why it is hitting some Implicit Deny rule is because the above ACL only has a single configured "deny" rule which this traffic doesnt match. Therefore it matches the Implicit Deny in the end of that ACL.
It seems to me (as you have stated already) that you have 2 external interfaces. The old one and the new one.
What I also noticed is that you have a single ACL and you have attached it to both of these interfaces.
Here are the commands which tell that the same ACL has been attached to 2 different interfaces
access-group External_access_in in interface old_External
access-group External_access_in in interface External
So basically if you make any changes to the ACL it applies to both of these interfaces.
If you want to keep them totally separate, you can for example copy/paste the current ACL configuration to Notepad for example or some other text editor. Then you can change the ACL name to something else and use this to make a separate ACL for the other external interface.
If there are some problems with the connections getting through, I would suggest using the "packet-tracer" command on the CLI to test that traffic and sharing the output with us here on CSC.
For example
packet-tracer input External tcp
This should tell us if there is some problems with the ASA configuration that might block the connections.
Result: input-interface: External input-status: up input-line-status: up output-interface: Internal output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Seems to me that the above "packet-tracer" is matching to a destination IP address that is used in a Static NAT configuration.
I can't find this configuration in the one you originally attached to the post above.
You are most likely lacking an ACL rule so you should probably add the following rule (if you changed any ACL name then use that instead in the example below)
access-list External_access_in permit tcp any object SophosServer eq 443
Naturally allow any other services you might need or limit the source addresses allowed instead of the "any" if needed.
Took it out did not help. It apprears the the implicit rules for Ipv4 to allow outbound access to any less secure are missing from all interfaces but exist as ipv6 rules for all interfaces. There is a global implicit any to any deny rule
It still seems to me that the above mentioned ACL is blocking these connections.
There is first an ACL check at the Phase 3 which to my understanding might now be the Global ACL.
Then we see the ACL check again at Phase 6 and I think this is the above mentioned ACL that is attached to the "Internal" interface in the "out" direction. So it would basically check connections that are formed towards the networks behind "Internal".
The reason why it is hitting some Implicit Deny rule is because the above ACL only has a single configured "deny" rule which this traffic doesnt match. Therefore it matches the Implicit Deny in the end of that ACL.
- Jouni
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
