How to correct: TCP access denied by ACL

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2015 06:21 AM - edited 03-11-2019 10:19 PM
Hello!
I seem to have stumbled into a problem I am not sure how to correct. I have a web server on a DMZ (10.1.10.5) that works correctly for all sites housed on it with the exception of one. The server serves up the login page but upon trying to login the following message is received:
TCP access denied by ACL from 10.1.10.5/53346 to dmz: xx.xx.xx.xx/445 (where x is the public IP)
I have tried creating an ACL that allows the two to communicate. Even then I get a message that the ASA has detected IP Spoofing and it blocks it.
I am attaching my config. Note there are some rules there to allow the staff on the inside to access the sites using public URLs instead of server IPs.
My question is how can I allow this authentication traffic to be passed?
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2015 07:34 AM
Based on the log, the webserver sends an HTTP-redirect to the port 445. But for this port you don't have a translation and also no access-rule.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2015 07:47 AM
Thanks for your response.
I have added:
object network WEBSERVER-TCP445
host 10.1.10.5
nat (DMZ,outside) static interface service tcp 445 445
access-list outside_acl extended permit tcp any object WEBSERVER-TCP445 eq 445
I appear to still be receiving the message. New config attached.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2015 12:38 PM
can u please confirmed weather xxx ip is at outside or at dmz side. can u provide asa log.
TCP access denied by ACL from 10.1.10.5/53346 to dmz: xx.xx.xx.xx/445 (where x is the public IP)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2015 01:24 PM
xxx IP is the Outside interface public facing address. I was a little confused about the message because 10.1.10.5 is in the DMZ and is the webserver that the public IP sends that traffic to.
What kind of log can I provide for you? I am not very familiar with the logging settings. If you tell me how to get it I'll post it for you.
Really appreciate the response. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-16-2015 07:09 PM
Hi,
can post real time logs generated by firewall. sh logging
or print screen of real time logs via asdm.
JEEVAK,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2015 11:36 AM
The logs have my public IP address plastered all over them. I wouldn't feel comfortable posting them here. Other than the one TCP denied message there doesn't seem to be any other entries related to the login request.
Are there any particular tests I may be able to run to help give you information that might be useful?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2015 11:46 AM
Any other ideas?
Seems weird that the 10.1.10.5 (which is inside the DMZ) is being blocked to the DMZ public IP. I've tried several configurations...some remove the error the the site still does not function.
