cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
666
Views
0
Helpful
6
Replies

Cisco ASA inbound connections

venkat257
Level 1
Level 1

Hi guys,

I am new to this group. I have a question and believe it is related to the firewall. I need 443 routed internally. The connection is working with 80 but not 443. Please check the picture attached. 

The command existing in the firewall is 

access-list OUTSIDE_IN line 10 extended permit tcp any4 host 172.20.40.1 eq www 

I gave the following command but its not working

access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https

 

sh access-list | i 172.20.40.1

access-list OUTSIDE_IN line 10 extended permit tcp any4 host 172.20.40.1 eq www (hitcnt=1424566) 0x9f3fd44a
access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https (hitcnt=0) 0xa89e875a

 

Kindly help. thanks in advance

BR,

Venkat

 

 

 

1 Accepted Solution

Accepted Solutions

Hi Venkat,

Please provide following information:

1: Is there any deny ACL above line40 which might be blocking TCP/443 traffic?

2: Can you run packet-tracer and share your findings.

 

Will wait for your update.

Thanks,

R.Seth

View solution in original post

6 Replies 6

rodrigog
Level 1
Level 1

Hello Venkat,

 

By any means did you added also the needed nat ?

Try adding the nat that may be missing

 

Also try running a packet tracer from the outside to see what could be the root cause

Regards,

Rodrigo

Hello Rodrigo,

Please see below

 sh run | i obj-122.56.11.165
object network obj-122.56.11.165
nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443


thmasa1f# sh run | b object network obj-122.56.11.165
object network obj-122.56.11.165
 host 122.56.11.165


object service obj-tcp-source-eq-80
 service tcp source eq www

object service obj-tcp-source-eq-443
 service tcp source eq https

Hello Venkat,

 

The configuration seems good but I can't see if the Nat may be hitting a source dynamic first that may be dropping the traffic

Try the next command on the next order to discard that possibility 

 

no nat (FrontIPS_Outside,outside) source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

nat (FrontIPS_Outside,outside) 1 source static FrontIPS_Out obj-122.56.11.165 service obj-tcp-source-eq-443 obj-tcp-source-eq-443

Let me know the results 

Regards,

Rodrigo

 

 

 

Hello Rodrigo,

 

It is still the same. No luck

access-list OUTSIDE_IN line 40 extended permit tcp any4 host 172.20.40.1 eq https (hitcnt=0) 

Br,

Venkat

Hi Venkat,

Please provide following information:

1: Is there any deny ACL above line40 which might be blocking TCP/443 traffic?

2: Can you run packet-tracer and share your findings.

 

Will wait for your update.

Thanks,

R.Seth

Hello Rodrigo and Rishabh,

 

The connectivity is working now. The https statement was after the deny statement. After changing, it started working. Thanks a lot.

 

Br,

Venkat 

Review Cisco Networking for a $25 gift card