Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
1
Replies

ASA5520 ACE issue

Dale Sanderson
Level 1
Level 1

‎03-30-2011 06:49 AM - edited ‎03-11-2019 01:14 PM

Hi there,

I am working on a ASA5520 running asa724-33-k8.bin and have been seeing some strange beheviour in relation to ACE additions.

On particular access-lists there is an implicit deny; so any new entries are added before this line.

However, once the line is in place, both packet tracer and a test of connectivity results in a drop - packet-tracer indicates the implicit deny in the middle of the ACL is the cause of this. This is usually resolved by removing any IP to name mappings and using the IP instead in the ACL; however this sometimes resolves the issues and sometimes not.

I was at first thinking that a large access list may exhibit this behaviour however the same thing has occured with an ACL that is only around 40 lines max.


There is a case open with our support provider but was wondering if anyone in the community has come across something similar?

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎03-30-2011 09:21 AM

Hi Dale,

Sometimes the packet tracer output can be misleading as the ACL drop reason is more of a "catch all".

Can you post an example of an ACL that is showing this behavior along with the packet tracer output? That should help narrow down the problem.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card