Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2506
Views
0
Helpful
3
Replies

TCP access denied by ACL

jmoritz99
Level 1
Level 1

‎10-30-2014 02:23 PM - edited ‎03-11-2019 10:00 PM

I have a security camera server with a web interface that formerly used a port forward in the service provider's modem/router to allow access to this interface from the internet. A 5505 ASA was installed after the modem to create a VPN to allow remote support. The VPN is configured and operational, but the web interface is no longer accessible. This site also has only one public IP address, and the server is on the only subnet that is configured.

The port forward was removed from the ISP modem/router, and I have configured port forwarding to the server on port 80. I also have configured an ACL to allow access from the outside to port 80. However, when attempting to access the server the logging shows:

TCP access denied by ACL from X.X.X.X/51945 to outside:X.X.X.X/80

I have attached my config file, please take a look and see what is causing this issue.

 

Thanks,

Jason

Labels:
Preview file
13 KB
0 Helpful
3 Replies 3

Aref Alsouqi
VIP
VIP

‎10-30-2014 02:37 PM

Hi Jmoritz,

You should add a nat statement for the object network milestone:

object network milestone
  nat (inside,outside) static interface service tcp 80 80

By doing so host 10.1.33.238 would be natted to the outside interfce, so any connection on port 80 on the outside interface would be forwarded to it on port 80.

Regards,

Aref

0 Helpful

jmoritz99
Level 1
Level 1
In response to Aref Alsouqi

‎10-31-2014 06:02 AM

Aref,

I entered the commands as you suggested, but still getting the same results. Is there anything else that I can do?

0 Helpful

Aref Alsouqi
VIP
VIP
In response to jmoritz99

‎10-31-2014 09:00 AM

Try to clear the xlate table and local host table with these commands and try again, and please remember that the ip address of the server on the access list has to be the real "private" ip address:

clear xlate

clear local-host

Regards,

Aref

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card