cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
597
Views
0
Helpful
1
Replies
Highlighted
Beginner

ASA 5520 v. 8.2(1) Flow is Denied by Configured Rule

Hello all,

 

I'm new to the forums and the Cisco ASA 5520. Recently I upgraded my firewall hardware from an ASA 5505 to an ASA 5520. Since I am a small startup company on a tight budget, I have purchased a used firewall. Unfortunately, the firewall runs on software version 8.2 (1), which I generally find difficult to find any documentation on.

I have some problems with the setup on my DMZ subnet, which I hope to get some help with as this is a real show stopper for me.

In general, I try to achieve the following:
1) Access to my web server (gateway) from the Internet.
2) Access to my mail server from the Internet.
3) I need to make a hole in the firewall from DMZ to LAN so I can get my Zabbix Proxy to communicate with the Zabbix Server in my LAN subnet. Generally, I am not much to make holes in the firewall, but it is necessary for me to make things work. It is therefore important that only the Zabbix Proxy gets access to my LAN subnet.
I have tried to make some access-lists, but I can't really make it work. Something is wrong. If I run a packet-tracer I get a 'Flow is Denied by Configured Rule' message.

 

Here is my running-config regarding access-lists and PAT rules:

object-group network WEB_SERVERS
 network-object host 172.16.1.30
object-group network MAIL_SERVERS
 network-object host 172.16.1.40
object-group service WEB_SERVICES tcp
 port-object eq www
 port-object eq https
object-group service MAIL_SERVICES tcp
 port-object eq smtp

access-list ACL_IN extended permit ip any any

access-list OUTSIDE_TO_DMZ extended permit tcp any object-group WEB_SERVERS object-group WEB_SERVICES

access-list OUTSIDE_TO_DMZ extended permit tcp any object-group MAIL_SERVERS object-group MAIL_SERVICES

access-list DMZ_TO_INSIDE extended permit tcp host 172.16.1.5 host 192.168.1.4 eq 10051

access-list DMZ_TO_INSIDE extended permit tcp host 172.16.1.5 host 192.168.1.4 eq 10050

global (outside) 101 interface

global (dmz) 101 interface

global (data) 101 interface

nat (dmz) 101 172.16.1.0 255.255.255.0

nat (dmz) 101 0.0.0.0 0.0.0.0

nat (inside) 101 192.168.1.0 255.255.255.0

nat (inside) 101 0.0.0.0 0.0.0.0

nat (data) 101 192.168.128.0 255.255.255.0

nat (data) 101 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 172.16.1.30 www netmask 255.255.255.255

static (dmz,outside) tcp interface https 172.16.1.30 https netmask 255.255.255.255

static (dmz,outside) tcp interface smtp 172.16.1.40 smtp netmask 255.255.255.255

access-group OUTSIDE_TO_DMZ in interface outside

access-group ACL_IN in interface inside

 

Here are output from packet-tracer regarding the web server:
Phase: 1
Type: FLOW-LOOKUP
subtype:
Result: ALLOW
config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
config:
Additional Information:
in 172.16.1.0 255.255.255.0 dmz

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
config:
access-group OUTSIDE_TO_DMZ in interface outside
access-list OUTSIDE_TO_DMZ extended permit for any object-group WEB_SERVERS object-group WEB_SERVICES
object-group network WEB_SERVERS
network-object host 172.16.1.30
object-group service WEB_SERVICES tcp
port-object eq www
port object eq https
Additional Information:

Phase: 4
Type: IP-OPTIONS
Result: ALLOW
config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf check
Result: Drop
config:
static (dmz, outside) tcp interface www 172.16.1.30 www netmask 255.255.255.255
match tcp dmz host 172.16.1.30 eq 80 outside any
static translation to 109.xxx.yyy.131 / 80
translate_hits = 0, untranslate_hits = 159
Additional Information:
Result:
input interface: outside
input status: up
input-line status: up
output interface: dmz
output status: up
output-line status: up
Action: Drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

The same problem applies with regard to the mail server and access from DMZ to LAN.

 

Thanks in advance

1 REPLY 1
Highlighted
Beginner

I now have access from DMZ to LAN by inserting the following:

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0