cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1962
Views
0
Helpful
8
Replies

ASA: ACL is not working properly

mbesim
Level 1
Level 1

Here is my configuration.

access-list inside_access_in extended permit tcp host Mailint any eq smtp

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip object-group internal-net any

access-group inside_access_in in interface inside

This is in order to prevent eventual spammers from my LAN.

Mailint server is only allowed to send smtp traffic.

But the ACL does not work!?

I issue from my PC:

telnet mail.yahoo.com 25

And I receive reply from yahoo server.

Any suggestions? What is wrong?

8 Replies 8

andrew.prince
Level 10
Level 10

post the output from "show access-list inside_access_in"

Here it is

access-list inside_access_in; 9 elements; name hash: 0x433a1af1

access-list inside_access_in line 1 extended permit tcp host Mailint any eq smtp (hitcnt=0) 0x1fa6687c

access-list inside_access_in line 2 extended deny tcp any any eq smtp (hitcnt=18) 0xe3de3aa9

access-list inside_access_in line 3 extended permit ip object-group internal-net any 0x0ada2aa5

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=19175) 0x12ee6ada

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=16565) 0xeba73452

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=3270) 0x3ec5fae7

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=2723) 0x35616727

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=10427) 0x69b4b8b6

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=0) 0x4964f9f7

access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=0) 0xfef1f420

So you are blocking line..

access-list inside_access_in line 2 extended deny tcp any any eq smtp (hitcnt=18)

Yes and it is not working.

SMTP traffic is passing trough.

Could somebody try this too.

How do you know this is still working?

Do you have a static NAT for your PC. Try to check from other Pcs which are natted.

Matt Lang
Level 1
Level 1

Are you positive you are coming from the inside and are not coming in to the ASA from a different interface? If you are sure you are coming from the inside, can you add this to your ACL to test?

access-list inside_access_in line 2 deny tcp host any eq smtp

Then test again and look at the counters to see if you are able to get out. If you are, are you sure there is not a device before the ASA that is translating your address?

I was wrong. ACL is working.

Confusion was caused by TCP options.

(Configuration-firewall-advanced-TCP options for inside interface)

I unchecked "Send reset reply for denied outbound TCP packets"

and there is no more "replies" from yahoo server.

Sorry, but I was really confused by this.

Thanks for your replies.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: