Solved: Re: ASA5510/ ASA7.2(1) traffic denied that is allowed by acl

calterio · ‎02-07-2007

I'm running ASA 7.2(1) on a 5510 and I'm receiving a deny on smtp:

Feb 07 2007 14:11:51: %ASA-4-106023: Deny tcp src eth1:100.100.252.107/25 dst eth0:200.29.52.3/40281 by access-group "acl-eth1"

The acl specifically allows this traffic, unless I'm misinterpreting the acl or the error. Can one of you see what the problem is?

Here are some statements from my config (sanitized):

interface Ethernet0/0

speed 100

duplex full

nameif eth0

security-level 0

ip address 200.29.52.1 255.255.255.0

!

interface Ethernet0/1

speed 100

duplex full

nameif eth1

security-level 90

ip address 192.129.254.7 255.255.255.0

!

access-list acl-eth1 extended permit tcp 100.100.252.0 255.255.255.0 host 200.29.52.3 eq smtp

access-list acl-eth0 extended permit tcp host 200.29.52.3 100.100.252.0 255.255.255.0 eq smtp

access-list matchall extended permit ip any any

nat (eth1) 0 access-list matchall

access-group acl-eth1 in interface eth1

access-group acl-eth0 in interface eth0

route eth1 0.0.0.0 0.0.0.0 192.129.254.2 1

daviddtran · ‎02-07-2007

are you using microsoft Exchange? Perhaps you

need to enter on the ASA:

no fixup protocol smtp 25

I recall running into similar problem like

yours with version 7.0(2) but with icmp.

I did the following and it fixed it:

no access-group acl-eth1 in int inside

access-group acl-eth1 in int inside

maybe it will work in your case well. There

is a bug ID on this one.

View solution in original post

acomiskey · ‎02-07-2007

the log is showing a source port of 25, not a destination port

the acl to match that traffic would be

access-list acl-eth1 extended permit tcp 100.100.252.0 255.255.255.0 eq 25 host 200.29.52.3

What are you trying to accomplish?

calterio · ‎02-07-2007

Yes, that is what I thought. We're converting from a PIX515 on 6.2(4) to the ASA5510s and the acls worked fine on the PIX, in that I did not see these deny messages. Mail (smtp) should be allowed between 200.29.52.3 and 100.100.252.0/24. I'm wondering if there's something I need to add to the 5510 config that was not needed in the PIX.

daviddtran · ‎02-07-2007

are you using microsoft Exchange? Perhaps you

need to enter on the ASA:

no fixup protocol smtp 25

I recall running into similar problem like

yours with version 7.0(2) but with icmp.

I did the following and it fixed it:

no access-group acl-eth1 in int inside

access-group acl-eth1 in int inside

maybe it will work in your case well. There

is a bug ID on this one.

calterio · ‎02-07-2007

No we're not using Exchange. I have another conversation going on right now related to the "no fixup". The ASA5510 with 7.2(1) won't take the command:

Ciscoasa(config)# no fixup protocol ftp 21

WARNING: 'no fixup ...' command not processed because no global policy-map is en

abled

No matching protocol-port pair found, fixup not removed

I'll try the access-group trick and post the results.

calterio · ‎02-08-2007

Re-applying the access-group fixed the issue. Thank you, David! Can you point me to that Bug ID please?

daviddtran · ‎02-08-2007

Hi calterio,

the Bug ID is CSCsd82114. I think I was the

first person to report this problem back in March 2006. But in my case, I was using ASDM

at the time when I noticed this issue. Funny

thing is that the bug ID stated that it should

have been fixed in your version as well. I

guess Cisco just doesn't know how to do QA

works.

Cisco Pix/ASA 7.x code is so buggy that it is

not even funny. We tried to migrate customers

from Checkpoint Firewalls (Checkpoint TAC

support sucks) to Cisco Pix firewalls (Cisco

TAC support good) but we've run into so many

issues with 7.x that it is not even funny.

What Cisco should do is start to hire

checkpoint programmers so that they can have

stable firewall code. But what do I know?

David