cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
777
Views
5
Helpful
2
Replies

Basic firewall config, yet blocking packets.

tylerhall
Level 1
Level 1

This is a brand new config, there's nothing on it.  I'm just trying to get packets to reach it, but it says it's being denied:

%ASA-3-710003: TCP access denied by ACL from 72.201.89.xx/23910 to outside:64.38.xxx.xx/80

I don't have a web server running on it, I'm just trying random ports to see if it'll go through before I start digging into my VPN issue.

Here is the config, allowing everything inbound/outbound:

vpn# show run

: Saved

:

ASA Version 8.2(5)

!

hostname vpn

domain-name xxx.net

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.16.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.38.x.x 255.255.255.192

!

ftp mode passive

dns server-group DefaultDNS

domain-name xxx

access-list OUTBOUND extended permit ip any any

access-list INBOUND extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group OUTBOUND in interface inside

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 64.38.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!            

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

What is making it deny all inbound packets?

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Tyler,

In ording to allow a packet from a lower security level to a higher security level on a version with nat-control enable you need:

1- A bidirectional translation ( Static one to one, Nat 0 with ACL)

2- An ACL allowing the traffic.

In this case you are missing the first one.

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Tyler,

In ording to allow a packet from a lower security level to a higher security level on a version with nat-control enable you need:

1- A bidirectional translation ( Static one to one, Nat 0 with ACL)

2- An ACL allowing the traffic.

In this case you are missing the first one.

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

varrao
Level 10
Level 10

Hi Tyler,

Wat exactly are you trying to access, is it the outside interafce of the ASA?? If it is any other IP address in the same subnet that your isp has provided, then you would need to plug a host on the inside interface and do static nat for it, then only you would get a response for random ports on it.

Try this:

plug a host on the inside interface, assign an ip, lets say 10.0.16.2, then you would need the static:

static (inside,outside) 64.38.xx.xx 10.0.16.2

Then try the connection, it should then show you everything opened.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao
Review Cisco Networking for a $25 gift card