07-06-2012 05:05 AM
Hi all,
I'm trying to open a hole in the firewall (ASA 5505, v8.2) to allow external access to a Web application. Via ASDM (6.3?), I've added the server as a Public Server, which creates a static NAT entry and an incoming rule "any... server_public_ip... https... allow" but traffic is still not getting through. When I look at the log viewer, it says it's denied by access-group inside_access_out, implicit rule, which is "any any ip deny"
I haven't had much experience with Cisco management. I can't see what I'm missing to allow this connection through, and I'm wondering if there's anything else special I have to add. I tried adding a rule (several variations) within that access-group to allow https to the server, but it never made a difference.
Any ideas? If you need more information, please let me know.
Thanks
Solved! Go to Solution.
07-10-2012 05:47 AM
Please remove the following line and that would allow you access to the web server:
access-group inside_access_out out interface inside
To allow only specific access from internal networks towards the outside/internet, the access-list should be applied in the "in" direction on the inside interface.
07-10-2012 06:03 PM
There are 2 types of access-list:
- "in" , which means incoming/inbound towards the interface
- "out", which means outgoing/outbound off the interface
So the access-list is relative to the interface, not relative to whether it is outgoing traffic towards the Internet, or incoming towards the internal subnet.
So to allow access out of the internal network, you just configure the access list "in" towards the inside interface as traffic will hit the inside interface first before going out via the outside interface.
Your currently configured "out" is outgoing the inside interface, ie: it will affect traffic from the outside or any other interfaces outbound off the inside interface.
Removing the line will not open it up for everything since you already have "in" access-list on the outside interface.
07-06-2012 06:02 AM
Can you please share your running config.
07-09-2012 06:58 PM
Hi Jennifer, so sorry for the delay. I got my access-group name confused. It is inside_access_out that is blocking. Here are my access-list entries and static NAT. Please let me know if this helps. Thanks again!
access-list acl_in extended permit tcp any host PUBLIC_IP eq https
access-list acl_in extended permit icmp CS_WAN_IPs 255.255.255.240 any
access-list acl_in remark Allow Vendor connections to LAN
access-list acl_in extended permit tcp host Vendor any object-group RemoteDesktop
access-list acl_in remark NetworkScanner scan-to-email incoming (from smtp.mail.microsoftonline.com to PCs)
access-list acl_in extended permit object-group TCPUDP any object-group Scan-to-email host NetworkScanner object-group Scan-to-email
access-list acl_out extended permit icmp any any
access-list acl_out extended permit tcp any any
access-list acl_out extended permit udp any any
access-list SSLVPNSplitTunnel standard permit LAN_Subnet 255.255.255.0
access-list nonat extended permit ip VPN_Subnet 255.255.255.0 LAN_Subnet 255.255.255.0
access-list nonat extended permit ip LAN_Subnet 255.255.255.0 VPN_Subnet 255.255.255.0
access-list inside_access_out remark NetworkScanner Scan-to-email outgoing (from scanner to Internet)
access-list inside_access_out extended permit object-group TCPUDP host NetworkScanner object-group Scan-to-email any object-group Scan-to-email
access-list inside_access_out extended permit tcp any interface outside eq https
static (inside,outside) PUBLIC_IP LOCAL_IP[server object] netmask 255.255.255.255
07-09-2012 07:52 PM
and can you also share the output of "show run access-group"
07-10-2012 04:39 AM
access-group inside_access_out out interface inside
access-group acl_in in interface outside
access-group acl_out out interface outside
07-10-2012 05:47 AM
Please remove the following line and that would allow you access to the web server:
access-group inside_access_out out interface inside
To allow only specific access from internal networks towards the outside/internet, the access-list should be applied in the "in" direction on the inside interface.
07-10-2012 08:10 AM
Jennifer Halim wrote:
To allow only specific access from internal networks towards the outside/internet, the access-list should be applied in the "in" direction on the inside interface.
I'm not sure I understand. Regarding allowing only specific access out of the network, does that mean I would need to create outgoing rules for anything outgoing (such as users accessing the Internet)? Since it is currently set to "out," how does that affect access? (Does it block everything?)
Will removing the line open it up for everything outgoing?
Thank you!
07-10-2012 06:03 PM
There are 2 types of access-list:
- "in" , which means incoming/inbound towards the interface
- "out", which means outgoing/outbound off the interface
So the access-list is relative to the interface, not relative to whether it is outgoing traffic towards the Internet, or incoming towards the internal subnet.
So to allow access out of the internal network, you just configure the access list "in" towards the inside interface as traffic will hit the inside interface first before going out via the outside interface.
Your currently configured "out" is outgoing the inside interface, ie: it will affect traffic from the outside or any other interfaces outbound off the inside interface.
Removing the line will not open it up for everything since you already have "in" access-list on the outside interface.
07-11-2012 06:35 AM
Thank you for the clarification. I appreciate the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide