ACL's not working as expected.
Posted on 2008-01-24
I'm manually migrating a PIX 506e to a ASA 5505 (Since the PIX doesn't have enough memory to load 7.x on, so I can't seamlessly migrate the config.)
My ACL's to allow some external access in to my servers are not working properly. Everything is getting dropped. When I run the Packet Tracer, it shows everything is dropped by the implicit rule - it's like the packets aren't matching my ACLs properly.
I'm guessing that my understanding of how the ACL's work on the different interfaces, and for different directions is somehow wrong, and I need to adjust how I am doing things, but I'm not sure what I am missing, or how I am wrong.
I am a Cisco-novice, and completely self-taught, so it is easy to believe that I am missing something obvious.
The internet is working fine outbound, and my Inside ACL's work properly.
I have static NAT with PAT routes setup to map the internal machines to their external addresses. (PAT because I use one external IP for services provided by different internal machines.)
My NAT entries look like this (with obfuscated IPs):
static (inside,outside) tcp 18.104.22.168 https TANSRVEXCH https netmask 255.255.255.255
(more entries just like this, but with different ports and hosts defined)
Then the ACLs looks like this:
access-list outside_access_in extended permit tcp any host TANSRVEXCH object-group EXCH_IN
(again, more entries just like this defined)
I've also tried it like this:
access-list outside_access_in extended permit tcp any host mail.[mydomain].com object-group EXCH_IN
On the PIX, within the ASDM it would be entered like the first case above, and from the command-line it would look like the second case above. I'm not sure which I am supposed to do, or if it even matters.
In either case, nothing in the TCP group "EXCH_IN" gets through. Everything is dropped by the implicit rule.
The configuration is almost identical to the config of the PIX that is presently working perfectly.
While I'm asking, does anyone have a link to a good explanation of how the inside, outside in/out ACL's work? I suspect that that is where I am going wrong, because I don't fully understand what in/out mean for the two interfaces.