Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2054
Views
0
Helpful
10
Replies

ASA 5505 8.3 ACL Dropping Packet - Please help

egrundlehner
Level 1
Level 1

‎07-20-2010 08:33 PM - edited ‎03-11-2019 11:14 AM

message removed.

Labels:
0 Helpful
10 Replies 10

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-20-2010 08:49 PM

Hello,

Please try the config below:

object service Web
service tcp source eq www

object service SecureWeb
service tcp source eq https

object service SMTP
service tcp source eq SMTP

object network out_1
host 1.1.1.1

object network in_1
host 192.168.11.2

object network in_2
host 192.168.11.5

nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25

Hope this helps.

Regards,

NT

0 Helpful

Allen P Chen
Level 5
Level 5

‎07-21-2010 12:02 AM

Will traffic from the DMZ be PAT'ed to the outside interface as well?  If so, you will need a corresponding NAT statement for this:

object network obj_10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (dmz,outside) dynamic interface

The above will allow all traffic from 10.0.0.0/24 behind the DMZ interface to be PAT'ed to the outside interface IP address (1.1.1.1) when making an outbound connection.

Hope this helps.

0 Helpful

egrundlehner
Level 1
Level 1
In response to Allen P Chen

‎07-22-2010 10:36 AM

Thanks! I'm going to test this now. How do I allow a range of Ip's to hit our firewall for PCI testing. A security company we use needs to be able to hit the firewall to test. In our Watchguard this was called an exception list.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to egrundlehner

‎07-22-2010 10:42 AM

Hello,

You can add entries to the outside access-list.

Access-list outside_access_in permit ip host any

Hope this helps.

Regards,

NT

0 Helpful

Allen P Chen
Level 5
Level 5
In response to egrundlehner

‎07-22-2010 10:45 AM

Which internal hosts will the security company need to access, and on which ports?  If it needs to access the internal host 192.168.11.2 on ports 80,443 and host 192.168.11.5 on port 25, then the following commands provided by the previous poster should allow this:

nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP

access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25

access-group outside_access_in in interface outside

0 Helpful

egrundlehner
Level 1
Level 1
In response to Allen P Chen

‎07-22-2010 11:01 AM

They actually test agains tthe firewall. So i'm assuming they just need icmp on the outside inteface turned on.

0 Helpful

egrundlehner
Level 1
Level 1
In response to egrundlehner

‎07-22-2010 11:46 AM

message removed

0 Helpful

Allen P Chen
Level 5
Level 5

‎07-22-2010 11:52 AM

Can you try removing this line?

nat (inside,outside) source dynamic any interface

I think this NAT rule is taking precedence instead of the static PATs you've configured.  You can then configure dynamic PAT for inside hosts going out as follows:

object network obj_192.168.11.0

subnet 192.168.11.0 255.255.255.0

nat (inside,outside) dynamic interface

Issue "clear local-host" and try testing again.

0 Helpful

egrundlehner
Level 1
Level 1
In response to Allen P Chen

‎07-22-2010 11:59 AM

Still does not work. This is what shows in the logs.

Can you call or email me off the boards

4Jul 22 201019:01:10106023208.85.196.732233192.168.11.2443Deny tcp src outside:1.1.1.1./2233 dst inside:192.168.11.2/443 by access-group "outside_access_in" [0x0, 0x0]

0 Helpful

Allen P Chen
Level 5
Level 5
In response to Allen P Chen

‎07-22-2010 11:59 AM

Also, 8.3 uses the real IP address in the ACLs, so please try changing the ACL as follows.  Sorry I missed it earlier:

no access-list outside_access_in extended permit tcp any interface outside eq www
no access-list outside_access_in extended permit tcp any interface outside eq https
no access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host 192.168.11.2 eq www
access-list outside_access_in extended permit tcp any host 192.168.11.2 eq https
access-list outside_access_in extended permit tcp any host 192.168.11.5 eq smtp

access-group outside_access_in in interface outside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card