cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4899
Views
0
Helpful
22
Replies

ASA 5510 - Cisco 2811 Router

Hi all, I really could use some assistence in regards to a ASA 5510 and a 2811 Router. I have working internet, but Access lists are killing me, I am just not quite able to wrap my head around them. First off let me say what I want to do. I want the ASA to act as a firewall. No routing done on it, well no routing past the one to get traffic to the router.

I want the 2811 to do the routing for the internal network, that is until I wrap my head around everything, then I might do some routing with the ASA to add a DMZ or et cetera.

So, with that said, what changes do I have to make to the ASA to set a static rout for all inc traffic to the router and secondly, how does ACL's work between the ASA and the router.

For example, if the ASA was setup correctly with a static route, how would I pass SSH through the ASA to be able to SSH to the router?

How would I allow traffic to hit an internal Webserver on a 192.168.1.5 address?

Here are my configs.

ASA:

ASA5510# sh running-config

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name maladomini.int

enable password <redacted> encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd <redacted>

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.199.199.123 255.255.255.240

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.168.4

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

object-group network DM_INLINE_NETWORK_1

network-object host <redacted>

network-object host <redacted>

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 interface Outside eq ssh

access-list 100 extended permit icmp interface Inside any

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

!

router rip

network 10.0.0.0

network 199.195.168.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.121.18 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

: end

2811:

CISCO-2811#sh running-config brief

Building configuration...

Current configuration : 3449 bytes

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CISCO-2811

!

boot-start-marker

boot system flash

boot-end-marker

!

!

enable secret 4 DWJfYBf6KhkIRmhhIhx8ibAAXVGQWjwfuyzfaX4Im8M

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

!

dot11 syslog

ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 172.16.10.1 172.16.10.49

ip dhcp excluded-address 172.16.20.1 172.16.20.49

!

ip dhcp pool Mitchs_Network

network 192.168.1.0 255.255.255.0

dns-server 192.168.1.2 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 192.168.1.1

!

ip dhcp pool VLAN10

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

!

ip dhcp pool VLAN20

network 172.16.20.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 172.16.20.1

!

!

!

ip domain name maladomini.int

ip name-server 192.168.1.2

ip name-server 199.195.168.4

ip name-server 205.171.2.65

ip name-server 205.171.3.65

ip name-server 8.8.8.8

no vlan accounting input

!

multilink bundle-name authenticated

!

!

password encryption aes

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1290569776

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1290569776

revocation-check none

rsakeypair TP-self-signed-1290569776

!

!

crypto pki certificate chain TP-self-signed-1290569776

certificate self-signed 01

!

!

license udi pid CISCO2811 sn FTX1041A07T

username

username

!

redundancy

!

!

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh version 2

!

!

!

!

!

!

!

interface FastEthernet0/0

description CONNECTION TO INSIDE INT. OF ASA

ip address 10.10.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1.1

description VLAN 10

encapsulation dot1Q 10

ip address 172.16.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.2

description VLAN 20

encapsulation dot1Q 20

ip address 172.16.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.3

description Trunk Interface VLAN 1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

no ip address

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

network 199.195.168.0

no auto-summary

!

ip default-gateway 10.10.1.1

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 10.10.1.1

ip ospf name-lookup

!

access-list 1 permit any

access-list 100 permit tcp host 10.10.1.1 host 192.168.1.5 eq www

access-list 100 permit icmp host 10.10.1.1 any echo-reply

dialer-list 1 protocol ip permit

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

password <redacted>

line aux 0

line vty 0 4

exec-timeout 0 0

password <redacted>

transport input ssh

!

scheduler allocate 20000 1000

end

Thank you for the help!

1 Accepted Solution

Accepted Solutions

Hi,

If you only have a single public IP address available and the ISP has not allocated any more public IP addresses then you need to do Static PAT (Port Forward) as you say. I am just wondering the IP address thing as you have a /28 mask public subnet attached to your ASA from the ISP. Naturally it still could be that you can only use the public IP configured on the ASA interface.

When allowing SSH to the internal router you will probably have to change the public facing port for this connection to something else than the default TCP/22. This is because if you forward this public port from the only public IP you have on the ASA then you wont be able to manage the ASA with SSH from the public network (As ASA would now be forwarding the TCP/22 traffic to the internal router)

So if I changed my original suggestions for the NAT then the new Static PAT configurations could look like this

object network ROUTER

host 10.10.1.2

nat (Inside,Outside) static interface service tcp 22 222

object network WEB-SERVER

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 80 80

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

- Jouni

View solution in original post

22 Replies 22

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

What I would suggest is remove the RIP configurations on both ASA and the Router. There is not much need for Dynamic routing when using only 2 devices for routing. You seem to have the static routes needed for operation on the ASA and the Router already.

I would also remove all NAT configurations from the Router.

I would add the LAN networks on the Router to the NAT configurations on the ASA. You would need to add the internal networks to the ASAs "object-group" that defines the source networks of the PAT

object-group network PAT-SOURCE

  network-object 172.16.10.0 255.255.255.0

  network-object 172.16.20.0 255.255.255.0

  network-object 192.168.1.0 255.255.255.0

This would enable Dynamic PAT for all the users on LAN. At the moment you only have the LAN network between the ASA and the Router defined as the source address for the Dynamic PAT.

To enable access to your Router and Web server from the external/public network you would have to first configure NAT for them. The next question would be do you have public IP addresses available so that you can give both the Router and the Web Server their own public IP address by doing the NAT or do you want to use the IP address of the ASAs "outside" interface?

Static NAT would bind a single public IP address to a single local IP address.

Static PAT would bind a singlepublic port on the public IP to a single local port on the local IP.

If I were to presume that you want to do Static NAT for both the Router and Server then you could configure these

object network ROUTER

host 10.10.1.2

nat (Inside,Outside) static

object network WEB-SERVER

host 192.168.1.5

nat (Inside,Outside) static

Next you would need to allow traffic from the external network

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq https

Above would allow HTTP/HTTPS traffic from any external source address to your Web server. You can naturally remove the HTTPS if there is no need for it.

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

or

access-list Outside_access_in extended permit tcp host object ROUTER eq ssh

Above gives examples on how you could allow SSH connections through the ASA to the Router. First example would be a statement that would allow SSH connections from a remote network. The second example would allow SSH connections from a single host source address. You would naturally add as many of these statements as you needed depending where you wanted to manage the Router from. Naturally you could allow SSH connection from "any" source address but I personally rather allow only from specific addresses if possible.

You don't really need to change anything on the ASA with regards to the ACL at the moment. You have configured an ACL to the "Outside" interface and you will allow here the required traffic from required source addresses to your internal hosts. Naturally you will always require some for of NAT for the internal host so it can be reached from the external network.

You don't have any ACL configured on the "Inside" interface of the ASA. This means that the "security-level" value of your interfaces will determine what traffic is allowed from behind the "Inside" interface. Since you only have the 2 interfaces in use this essentially means that users behind "Inside" can connect to any networks behind the "Outside" interface. You wont need an ACL to do this. You would need an ACL configured on the interface IF you wanted to limit some outbound traffic from behind the "Inside" interface.

And as said, you already have an ACL attached to the "Outside" interface so you simply add statements there when needed. All other traffic is denied.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

I have one public IP address. The internal IP address is a video  device on VLAN 1 of the internal network, it doesn't support HTTPS.

Right now I have SSH enabled to the ASA from outside, that was the one thing I did manage to get working.

I do not have a DMZ currently.

Basically I have the setup of INTERNET -----------> ASA5510 ---------->CISCO2811----->VLAN1;10;20-(2970-SWITCH)

I will remove the RIP and enter the changes you  suggested tonight when I get home from work to give it a go. I guess I  am failing to see how the relation between the ASA and the 2811 work  since they both are doing NAT and both seem to require access-lists.

I  will check it this evening and get back to you, I will definately have  more questions. The way the access-lists, groups, network objects and  the like are just not setting in my brain the way I seem to think they  should.

Hi,

With regards to ACL/access-list the problem in your setup is the fact that the actual LAN networks connect to the Router rather than to the ASA. The ASA would be better equiped to control the traffic with ACLs than the Router. Basically because its a statefull firewall while the Router doesnt keep track of the state of the connection which makes configuring the ACLs harder.

If you have no need to control traffic between the LAN networks then you should not configure any interface ACLs on the Router.

There is no real need to do any NAT on the Router itself. It only adds complexity to this network in my opinion. The ASA is better equipped to handle the NAT.

I am not sure what to tell you about the objects, object-group other than that the "object" and "object-group" alone dont do anything. The "object" and "object-group" are usually used as a parameter in some other configuration on the ASA.

The "object-group" are used usually to group certain IP addresses/networks/services(ports) into a single group that you can then easily use in some "access-list". They are also used to group networks to be used in "nat" configurations to avoid creating multiple statements.

- Jouni

Well, my ultimate plan was to use these devices to learn how to  control traffic around and between the different subnets and between an  ASA and a router. Ultimately I would use the ASA to control access to  and from work / remote locations and the router to direct traffic  between my subnets would be used for different things.

Examples:

VLAN for the VOIP phones

VLAN for Wireless devices (AP's)

VLAN for Servers

VLAN Wired PC's

VLAN for Assorted (TV's, DVD's, XBOX, Wii, et cetera)

So  I will be using the router. I am just in the learning stages and want  to get remote access setup so I can work on it from remote locations or  connect to it from work et cetera.

I am also getting a 2821 and a 3560 POE switch for the phones and other POE devices.

Example  would be to put my wireless AP on one subnet and then control what  traffic can flow from that network to my primary wired network. I was  then going to use the router to do VOIP phones. Setup a server subnet.

I also have a 2821 router that I had planned on using  once I learned the basics, so I can learn more about Cisco networking  and IOS usage.

"do you want to use the IP address of the ASAs "outside" interface?"

Yes. I have one static IP address that is on my ASA's outside interface. i will have to do port forwarding to reach the http device as well as the SSH to the inside router.

I assume I will have to NAT these statements to different ports unless I put them in a DMZ type of setup with the HTTp device on it's own network/VLAN?

Hi,

If you only have a single public IP address available and the ISP has not allocated any more public IP addresses then you need to do Static PAT (Port Forward) as you say. I am just wondering the IP address thing as you have a /28 mask public subnet attached to your ASA from the ISP. Naturally it still could be that you can only use the public IP configured on the ASA interface.

When allowing SSH to the internal router you will probably have to change the public facing port for this connection to something else than the default TCP/22. This is because if you forward this public port from the only public IP you have on the ASA then you wont be able to manage the ASA with SSH from the public network (As ASA would now be forwarding the TCP/22 traffic to the internal router)

So if I changed my original suggestions for the NAT then the new Static PAT configurations could look like this

object network ROUTER

host 10.10.1.2

nat (Inside,Outside) static interface service tcp 22 222

object network WEB-SERVER

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 80 80

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

- Jouni

JouniForss wrote:

Hi,

If you only have a single public IP address available and the ISP has not allocated any more public IP addresses then you need to do Static PAT (Port Forward) as you say. I am just wondering the IP address thing as you have a /28 mask public subnet attached to your ASA from the ISP. Naturally it still could be that you can only use the public IP configured on the ASA interface.

When allowing SSH to the internal router you will probably have to change the public facing port for this connection to something else than the default TCP/22. This is because if you forward this public port from the only public IP you have on the ASA then you wont be able to manage the ASA with SSH from the public network (As ASA would now be forwarding the TCP/22 traffic to the internal router)

So if I changed my original suggestions for the NAT then the new Static PAT configurations could look like this

object network ROUTER

host 10.10.1.2

nat (Inside,Outside) static interface service tcp 22 222

object network WEB-SERVER

host 192.168.1.5

nat (Inside,Outside) static interface service tcp 80 80

access-list Outside_access_in extended permit tcp any object WEB-SERVER eq www

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

- Jouni

Hi Jouni,

Well I purchased one static Ip address from my provider. It has a 255.255.255.240 Subnet. I am not sure how they give them out. I have a gateway address, I know there is a broadcast IP since I can ping it and the others, well, maybe they don't use them? All I know is I pay 6 bucks additional to have the static Ip over a dynamic one. I will try those commands tonight and see how it works!

I got my 2821, but it looks like the IOS was wiped on it. I purchased some memory and a flash card for it (it didn't come with a CF card and it has the minimum memory in it) hopefully I can get an IOS back on it. I can't even do a sh run, but I do see the TFTP command.

Hi Jouni,

Just to clarify. When I create these on the ASA:

object network ROUTER (This is an Object Container that I am adding the host 10.10.1.2 into)

host 10.10.1.2 (the defined IP of the router)

nat (Inside,Outside) static interface service tcp 22 222 (NAT statement shaping traffic from / to the outside interface of port 22 translated to 222)?

Does this statement just get created or does it have to be applied to an interface? Is this done on the ASA or the router?

access-list Outside_access_in extended permit tcp object ROUTER eq ssh

Thanks!

Hi,

The first port mentioned in the "nat" command is the real port and the second port is the mapped port visible to the external/public network. The reason I put the ports like that is if you had the original port TCP/22 visible to the external/public network in the "nat" command this would mean that you could not reach the ASA with SSH anymore from the public network.

The reason for the above is that the ASA is already listening on port TCP/22 (SSH) on its public interface and if you now forward that port to an internal host the ASA wont be able to listen on the port TCP/22 for its own SSH management.

With regards to the ACL rule,

You already have the ACL "Outside_access_in" configured on the ASA when you look at the original configuration you posted. So this means we are just adding new rules to the existing ACL and nothing more is required for the rules to take effect.

You might wonder why we allow access to the actual port of TCP/22 if we are mapping it to public/mapped port of TCP/222? This can be explained by the fact that any ASA running 8.3 (or newer) software is using the new NAT format. This means that when a connection is coming to the ASA then it will handle the UN-NAT from the mapped to the real IP/port before it checks the ACL. Therefore the ACL should contain the real IP/port.

The actual ACL is attached with the below command that is shown in the original configuration

access-group Outside_access_in in interface Outside

It simply means that the ACL named "Outside_access_in" is attached to the direction "in" to the interface "Outside". It therefore controls connection attempts that are coming towards this interface (in/inbound). As the ASA is a statefull firewall if the connection attempt is allowed through this ACL then the return traffic will be allowed automatically as the ASA would already have that connection in its connection table.

On a router the situation would be completely different unless you were using a Router with special firewall features. Of those I have very little expirience myself.

Hope this helps

Please do remember to mark a reply as the correct answer if it has answered your question.

Feel free to ask more if needed though

- Jouni

Yes that helps a lot. I am beginning to see how the packets flow on  the ASA and what guides them. That was my biggest problem was following  how a packet would come in from the outside, which interface would  accept it, which would pass it and what rules (statements) allowed it  past.

I think one of my issue is the difference between devices (Router vs Firewall).

On  the router I had tried to create some access-lists and once I applied  them to an interface (say to allow WWW through them), it would block all  the other traffic when I applied it to a specific interface . I didn't  quite follow how it flowed and it was frustrating.

Istvan kelemen
Level 1
Level 1

Hello,

If you want i can configure your router/asa for free.

What i do need to know:
-requirements (what and how you do want)
What i do need:
-SSH/ASDM connection.

Feel free to contact me: stvnkelemen@gmail.com


Sent from Cisco Technical Support Android App

metuckness
Level 1
Level 1

Hi,

I am still not able to SSh to the router using that port 222. I set all the rules up on the ASA and it seems I can SSH into it, but when I try the router behind it, I get nothing. Do I have to set some rules on the router? I thought I already had a statement that allowed any connections from the ASA to the Router, hmm.

Thanks Steven, I might take you up on your offer if I can't work them out on my own. The whole point is to learn how to do it, but I didn't know if would be so confusing at the start (when is networking ever "easy") but because the commands change across version and are different between Firewalls and Routers and the like, it's a tad confusing. i am pretty sure the problem now lies in an ACL on the router.

Thanks!

My other problem is that I can't test the connection from home because since the ASA is a stateful router, it is not allowing my work VPn to connect (stay connected). It seems that the VPN we use for work (a Microsoft VPN) sends a packet and that comes back as a different packet so the ASA blocks it. I am going to have to figure that out as well sometime. That is my guess anyway, since it worked before when I had a pFsense Firewall setup.

Hi,

The "packet-tracer" command on the ASA will tell if there is a problem with the ASA configurations

packet-tracer input Outside tcp 12345 222

Share the output with us. Remember to mask the public IP address in the output

Did you also remember to specify the nondefault SSH port in the SSH Client you used?

- Jouni

I did remember to add the nondefault port of 222 when I tried to connect.

The Output is:

ASA5510# packet-tracer input Outside tcp 98.22.121.180 22 100.100.100.100 222

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

Additional Information:

NAT divert to egress interface Inside

Untranslate 100.100.100.100/222 to 10.10.1.2/22

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Review Cisco Networking for a $25 gift card