Cannot create new Rule on ASA - HELP - HELP

Minh Vu · ‎11-29-2012

Hello,

I'm trying to configure my Cisco ASA firewall to allow outside access to my new webserver which is hosting inside the company network.

The number 47 & 48 from image below are my new access rules.

From ouside I can ping to it by using name or IP but when I try to access the website using web browser, I got the page can't display. Yes, my web page is working fine when access using internal network.

When I replace the Destination on #35 with #47 (replace TTCHR2Outside with Dealer.Nittotire) then I can access the website from outside OK.

Would anyone please tell me what I did wrong and how to fix it.

Thanks inadvance.

Jouni Forss · ‎11-29-2012

Hi,

Line 39 has a rule that blocks ALL TCP/UDP traffic from "any" to "any"

As you can see, no rule after line 39 has even gotten 1 hitcount.

You need to remove the current line 39 configuration for any of the latter ones to apply.

- Jouni

Jouni Forss · ‎11-29-2012

Also,

Remember that every single ACL ends with an "Implicit Deny" (I guess it should show on ASDM side) which basically blocks all the traffic that hasnt matched any previous ACL rule line.

Making a Deny rule in the middle of an ACL only makes sense when you specily a network/host address regarding either the source or destination of the traffic.

"deny ip any any" doesnt make any sense in the middle of an ACL as it makes the lines after that useless.

Minh Vu · ‎11-29-2012

So, any line below "Deny" will be blocked, right?

Minh Vu · ‎11-29-2012

JouniForss,

Thank you for your quick reply.

Can I just move line 47 & 48 up to before 39 without removing 39?

Jouni Forss · ‎11-29-2012

Hi,

If you want to leave the "deny ip any any" ACL rule there, then yes, you can just move the 2 rules before that "deny" rule and those should work.

- Jouni

Minh Vu · ‎11-29-2012

Thank you very much for your quick answer on this matter, yes, I am able to acces my website from outside now.

Thanks again.