Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1304
Views
0
Helpful
19
Replies

ASA 5506 Access List Problem

Tom101
Level 1
Level 1

‎12-20-2022 09:51 AM - edited ‎12-20-2022 10:23 AM

Hello Cisco Community,

I am trying to allow port 80 through a ASA 5506 firewall from my DMZ to a INTERNAL zone for a HTTP server. I am having a problem with the access list, and have encountered a strange problem. 

The ip address of my HTTP server is 192.168.2.1. When i use the access list command:

 

access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any gt www

 

 

It works fine, however when i use the command equal to www:

 

access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www

 

It drops the HTTP packets, and doesn't allow it through the firewall. Does anyone know why?

 

I'm applying the access list to the DMZ 'in' interface.

 

access-group WEB-INSIDE in interface DMZ

 

 

I have attached two packet tracer files to demonstrate a working and non-working configuration. I may be doing something wrong. Thank you.   

Packet Tracer Files.zip
0 Helpful
19 Replies 19

Tom101
Level 1
Level 1
In response to Rob Ingram

‎12-20-2022 10:31 AM - edited ‎12-20-2022 10:32 AM

Hi Rob, thank you for your reply.

From what you're describing it sounds like I have it set up correctly. (I think). 

I have added the access list to the DMZ in interface with this command.

 

access-group WEB-INSIDE in interface DMZ

 

 and i'm using the 'eq www' in the access list.

 

access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Tom101

‎12-20-2022 12:26 PM

@Tom101 are you actually trying to allow traffic from the INSIDE network to the HTTP server (192.168.2.1) on port tcp/80 in the DMZ? If so, remove the access-group from the DMZ - "no access-group WEB-INSIDE in interface DMZ"

Your question reads the other way around (traffic initiated from DMZ to INSIDE) and your ACL implies communication is initiated from DMZ to INSIDE.

0 Helpful

Tom101
Level 1
Level 1
In response to Rob Ingram

‎12-20-2022 12:30 PM

Oo i see, ok thank you Rob. I'm trying to allow my PC from the INSIDE network to access the HTTP website on the server in the DMZ. 

0 Helpful

Rob Ingram
VIP
VIP
In response to Tom101

‎12-20-2022 12:34 PM

@Tom101 then you ACL is incorrect, you don't need to apply the ACL to the DMZ interface. Remove it.

no access-group WEB-INSIDE in interface DMZ
no access-list WEB-INSIDE extended permit tcp host 192.168.2.1 any eq www

Traffic will be permitted from INSIDE to DMZ as default as the INSIDE interface has a higher security-level than the DMZ interface.

0 Helpful

Tom101
Level 1
Level 1
In response to Rob Ingram

‎12-20-2022 01:20 PM

Hi Rob, am i right in saying that the default security-level rule will only work when there is no other access list bound to an interface? So if I was to extend the network and add additional access list rules, would that stop working? What access-list rule would I need if that was the case?

Also, I deleted the access-group and access-list and I still cannot get it to work. The ICMP ping will reach the HTTP web server, but the firewall will not allow it back into the inside network. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card