12-03-2018 10:31 AM - edited 02-21-2020 08:32 AM
So I'm working on moving our citrix enviroment to our new building. However once changing all the ip's and updating the access list rules, it wasn't working. Doing the sh logging command, I see the following blocking the citrix traffic on port 8080:
Inbound TPC connnection denied from 72.9.2.126/55263 to 72.9.2.127/8080 flags SYN on interface outside
Anyone know why this is caused? I'm pretty sure my access-list is allowing port 8080 traffic, as you can see from my config.
interface Ethernet0/0
description To cable modem
switchport access vlan 2
!
interface Ethernet0/1
description IIS SERVER - THIS is the 72.9.2.126 server
switchport access vlan 2
!
interface Ethernet0/2
description xx
switchport access vlan 2
!
interface Ethernet0/3
description xx
switchport access vlan 2
!
interface Ethernet0/4
description [This is the 72.9.2.127 server]
switchport access vlan 10
!
interface Ethernet0/5
description xx
switchport access vlan 10
!
interface Ethernet0/6
description xx
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan2
nameif outside
bridge-group 1
security-level 0
!
interface Vlan10
nameif inside
bridge-group 1
security-level 100
!
interface BVI1
ip address 72.9.2.128 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name setb.ad.dmz
object-group network inside_host
network-object host 208.90.140.23
network-object host 208.90.140.35
network-object host 208.90.140.29
network-object host 208.90.140.163
network-object host 208.90.140.28
network-object host 208.90.140.175
network-object host 208.90.140.27
network-object host 208.90.140.161
network-object host 72.9.2.123
network-object host 72.9.2.120
network-object host 72.9.2.121
network-object host 72.9.2.125
network-object host 72.9.2.126
network-object host 72.9.2.127
network-object host 72.9.2.133
network-object host 72.9.2.134
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_in extended permit tcp host 72.9.2.125 any eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 any eq 8080
access-list outside_in extended permit tcp host 72.9.2.125 object-group inside_host eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 object-group inside_host eq 8080
access-list outside_in extended permit tcp object-group inside_host object-group inside_host eq 8080
access-list outside_in extended permit tcp any host 72.9.2.126 eq www
access-list outside_in extended permit tcp any host 72.9.2.126 eq https
access-list outside_in extended permit tcp any host 72.9.2.125 eq https
access-list outside_in extended permit tcp any host 72.9.2.126 eq 1434
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.133 eq 1434 inactive
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.133 eq 1433 inactive
access-list outside_in extended permit udp host 72.9.2.125 object-group inside_host eq 1434
access-list outside_in extended permit tcp host 72.9.2.125 object-group inside_host eq 1434
access-list outside_in extended permit udp host 72.9.2.125 object-group inside_host eq 1433
access-list outside_in extended permit tcp host 72.9.2.125 object-group inside_host eq 1433
access-list outside_in extended permit udp host 72.9.2.126 object-group inside_host eq 1434
access-list outside_in extended permit tcp host 72.9.2.126 object-group inside_host eq 1434
access-list outside_in extended permit udp host 72.9.2.126 object-group inside_host eq 1433
access-list outside_in extended permit tcp host 72.9.2.126 object-group inside_host eq 1433
access-list outside_in extended permit tcp host 72.9.2.126 72.9.2.0 255.255.255.0 eq 135
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.123 eq ldap
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.123 eq 88 log
access-list outside_in extended permit udp host 72.9.2.126 host 72.9.2.123 eq 88
access-list outside_in extended permit udp host 72.9.2.126 host 72.9.2.123 eq domain
access-list outside_in extended permit udp host 72.9.2.126 host 72.9.2.123 eq 389
access-list outside_in extended permit ip host 72.9.2.126 host 72.9.2.123 log
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.127 eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.123 eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.121 eq 8080
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.127 eq citrix-ica
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.133 eq citrix-ica
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.121 eq citrix-ica
access-list outside_in extended deny ip any any log
access-list outside_out extended permit icmp object-group inside_host any
access-list outside_out extended permit tcp object-group inside_host any
access-list outside_out extended permit udp object-group inside_host any
access-list outside_out extended permit tcp host 72.9.2.126 any eq www inactive
access-list outside_out extended permit tcp host 72.9.2.126 any eq https inactive
access-list outside_out extended permit tcp host 72.9.2.126 host 72.9.2.127 eq 8080 inactive
access-list outside_out extended deny ip any any log
access-list inside_in extended permit udp object-group inside_host any eq domain
access-list inside_in extended permit tcp object-group inside_host host 72.9.2.126 eq 501
access-list inside_in extended permit tcp object-group inside_host any eq ftp
access-list inside_in extended permit tcp object-group inside_host any eq www
access-list inside_in extended permit tcp object-group inside_host any eq https
access-list inside_in extended permit udp host 72.9.2.23 any eq domain inactive
access-list inside_in extended permit tcp host 72.9.2.127 host 72.9.2.125 eq 9669
access-list inside_in extended deny ip any any log
Thanks.
12-04-2018 03:24 PM
i see the entry, its specifically allowed here
access-list outside_in extended permit tcp host 72.9.2.126 host 72.9.2.127 eq 8080
but it will hit this entry first where ALL traffic is allowed anyway
access-list outside_access_in extended permit ip any any
i've never setup asa in transparent mode so not familiar with this type of config
do you not need to apply the acl to the outside interface ass it has security-level 0 & inside is 100?
regards, mk
12-04-2018 03:27 PM
do you have this cmd?
access-group outside_in in interface outside
regards, mk
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide