Re: port 80 blocked from dmz to outside

dbasterash · ‎09-10-2007

I have an ASA 5510 with a DMZ port sub-interfaced to 3 ports. The 3 interfaces are set up the same with security level 50. The outbound rules for the interfaces are the same except obviously for the source. On the first and second sub-interface i can get to the internet but on the 3rd interface i can not. When trying to access the internet i get a deny message in the syslog. The ASDM reports it as the result of an implicit rule. As far as i know, this should be allowed since it is going to a less secure interface.

acomiskey · ‎09-10-2007

Do you mind posting the config?

dbasterash · ‎09-10-2007

Can you please let me know if i have forgotten to parse anything out and when and if i can remove the attachment.

acomiskey · ‎09-10-2007

You can pull it now.

acomiskey · ‎09-10-2007

Could you post the error message you are getting.

"As far as i know, this should be allowed since it is going to a less secure interface."

-Not necessarily...you have an acl applied into DMZ-13 interface, therefore anything not specifically allowed will be denied, regardless of where it's going.

dbasterash · ‎09-10-2007

4 Sep 10 2007 10:14:05 106023 CYCLOPS 170.224.191.33 Deny tcp src DMZ-13:CYCLOPS/4482 dst outside:170.224.191.33/80 by access-group "DMZ-13_access_in" [0x0, 0x0]

acomiskey · ‎09-10-2007

You have to allow that in your DMZ-13_access_in access list.

If you want to allow all the access to the outside then you should do this.

Take your existing acl, add a deny ip any to your other dmz/inside networks. Then add a permit ip any any to allow any other access to outside network.

access-list DMZ-13_access_in deny ip any

access-list DMZ-13_access_in permit ip any any