Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
3
Replies

Cisco FWSM 'deny inbound' error in ASDM

Go to solution
Little Bunny
Level 1
Level 1

‎12-17-2014 10:03 AM - edited ‎03-11-2019 10:14 PM

Hello

 

We have an explicit rule allowing inbound traffic, however it recently stopped working. The rule is still in place but we get a Deny message in the logs and the traffic does not pass. Would NAT have an affect on this? Someone changed the NAT from Static to Dynamic recently and I'm wondering if that might have broken something. Please let me know what further info you need.

 

Thanks

Amy

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Little Bunny

‎12-18-2014 01:27 AM

Hi,

Actually as per your explanation , you pointed out that the Inbound connections are getting denied and someone changed the Static NAT to Dynamic. So , this is expected as Dynamic only works uni directionally.

If you still have some query , please point out the relevant configuration NAT or the logs.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎12-17-2014 12:35 PM

NAT could very well be the issue here if it has been changed.

You could check by running a packet tracer on the ASA from any public IP (4.2.2.2 for example) to the public IP of the server you are trying to reach.  Make sure that the source port is a random hight port (I normally use 12345) and make sure you specify the server port which is being used to access the server (for example, port 80 for webservers).

packet-tracer input outside tcp 4.2.2.2 12345 <public IP of server> <port> detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Little Bunny
Level 1
Level 1
In response to Marius Gunnerud

‎12-17-2014 01:14 PM

Hi Marius

 

Thanks for your reply. This is on an FWSM context, not ASA, and the packet-tracer command isn't supported.

 

I'll see if there is another way to test where the connection is being blocked.

 

Thanks

Amy

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Little Bunny

‎12-18-2014 01:27 AM

Hi,

Actually as per your explanation , you pointed out that the Inbound connections are getting denied and someone changed the Static NAT to Dynamic. So , this is expected as Dynamic only works uni directionally.

If you still have some query , please point out the relevant configuration NAT or the logs.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card