Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6277
Views
0
Helpful
7
Replies

How to correct: TCP access denied by ACL

alafever1
Level 1
Level 1

‎01-12-2015 06:21 AM - edited ‎03-11-2019 10:19 PM

Hello!

I seem to have stumbled into a problem I am not sure how to correct.  I have a web server on a DMZ (10.1.10.5) that works correctly for all sites housed on it with the exception of one.  The server serves up the login page but upon trying to login the following message is received: 

TCP access denied by ACL from 10.1.10.5/53346 to dmz: xx.xx.xx.xx/445 (where x is the public IP)

I have tried creating an ACL that allows the two to communicate.  Even then I get a message that the ASA has detected IP Spoofing and it blocks it.

I am attaching my config.  Note there are some rules there to allow the staff on the inside to access the sites using public URLs instead of server IPs.  

My question is how can I allow this authentication traffic to be passed? 

Labels:
Preview file
8 KB
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎01-12-2015 07:34 AM

Based on the log, the webserver sends an HTTP-redirect to the port 445. But for this port you don't have a translation and also no access-rule.

0 Helpful

alafever1
Level 1
Level 1
In response to Karsten Iwen

‎01-12-2015 07:47 AM

Thanks for your response.

I have added:
object network WEBSERVER-TCP445
host 10.1.10.5
nat (DMZ,outside) static interface service tcp 445 445
access-list outside_acl extended permit tcp any object WEBSERVER-TCP445 eq 445
 

I appear to still be receiving the message.  New config attached.

 

Preview file
8 KB
0 Helpful

jeevak mukadam
Level 1
Level 1
In response to alafever1

‎01-16-2015 12:38 PM

can u please confirmed weather xxx ip is at outside or at dmz side. can u provide asa log.

 

TCP access denied by ACL from 10.1.10.5/53346 to dmz: xx.xx.xx.xx/445 (where x is the public IP)

0 Helpful

alafever1
Level 1
Level 1
In response to jeevak mukadam

‎01-16-2015 01:24 PM

xxx IP is the Outside interface public facing address.  I was a little confused about the message because 10.1.10.5 is in the DMZ and is the webserver that the public IP sends that traffic to.  

What kind of log can I provide for you?  I am not very familiar with the logging settings.  If you tell me how to get it I'll post it for you.

Really appreciate the response.  Thanks!

0 Helpful

jeevak mukadam
Level 1
Level 1
In response to alafever1

‎01-16-2015 07:09 PM

Hi,

can post real time logs generated by firewall. sh logging

 

or print screen of real time logs via asdm.

 

JEEVAK,

0 Helpful

alafever1
Level 1
Level 1
In response to jeevak mukadam

‎01-19-2015 11:36 AM

The logs have my public IP address plastered all over them.  I wouldn't feel comfortable posting them here. Other than the one TCP denied message there doesn't seem to be any other entries related to the login request.  

Are there any particular tests I may be able to run to help give you information that might be useful?

0 Helpful

alafever1
Level 1
Level 1
In response to Karsten Iwen

‎01-14-2015 11:46 AM

Any other ideas?  

Seems weird that the 10.1.10.5 (which is inside the DMZ) is being blocked to the DMZ public IP.  I've tried several configurations...some remove the error the the site still does not function. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card