ASA 5510 Firewall Cisco - ACL deny tcp
Dear all,
i have trouble of one of my inside host (NY_srvnwtny) connecting to a external host on the internet (NY_Comme) via tcp port 22. attached is a picture i have on asdm. it is telling me that inside_access_in acl is denying that traffic. however i have added some line in that acl like this one.
Access-list inside_access_in line 50 remark to Transfers to NY_comme
access-list inside_access_in line 51 extended permit object-group TCPUDP host NY_srvnwtny host NY_comme eq 22
access-list inside_access_in line 51 extended permit udp host NY_srvnwtny host NY_comme eq 22
access-list inside_access_in line 51 extebded permit tcp host NY_srvnwtny host NY_comme eq ssh
Thanks for your comments.
i have trouble of one of my inside host (NY_srvnwtny) connecting to a external host on the internet (NY_Comme) via tcp port 22. attached is a picture i have on asdm. it is telling me that inside_access_in acl is denying that traffic. however i have added some line in that acl like this one.
Access-list inside_access_in line 50 remark to Transfers to NY_comme
access-list inside_access_in line 51 extended permit object-group TCPUDP host NY_srvnwtny host NY_comme eq 22
access-list inside_access_in line 51 extended permit udp host NY_srvnwtny host NY_comme eq 22
access-list inside_access_in line 51 extebded permit tcp host NY_srvnwtny host NY_comme eq ssh
Thanks for your comments.
Saineolai
Do you have a deny statement for this traffic in any of the earlier lines in the inside_access_in access list?
ASKER
here are my last line on this acl when i do the following command: show access-list inside_access_in
access-list inside_access_in line 48 remark Log Dropped Packets
access-list inside_access_in line 49 extended deny ip any any (hitcnt=3728424) 0xbe9efe96
access-list inside_access_in line 50 remark To Transfers to NY_Comme
access-list inside_access_in line 51 extended permit object-group TCPUDP host NY_srvnwtny host NY_Comme eq 22 0x4d259085
access-list inside_access_in line 51 extended permit udp host NY_srvnwtny host NY_Comme eq 22 (hitcnt=0) 0x38c2f370
access-list inside_access_in line 51 extended permit tcp host NY_srvnwtny host NY_Comme eq ssh (hitcnt=0) 0x65958558
access-list inside_access_in line 48 remark Log Dropped Packets
access-list inside_access_in line 49 extended deny ip any any (hitcnt=3728424) 0xbe9efe96
access-list inside_access_in line 50 remark To Transfers to NY_Comme
access-list inside_access_in line 51 extended permit object-group TCPUDP host NY_srvnwtny host NY_Comme eq 22 0x4d259085
access-list inside_access_in line 51 extended permit udp host NY_srvnwtny host NY_Comme eq 22 (hitcnt=0) 0x38c2f370
access-list inside_access_in line 51 extended permit tcp host NY_srvnwtny host NY_Comme eq ssh (hitcnt=0) 0x65958558
Can we see the *entire* ACL called inside_access_in? The order of the lines is very important as all ACLs are evaluated from top down. If any 1 line matches, processing stops. If there is a deny statement that matches the traffic before the allow statement, then the traffic will be dropped.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes. that was right. it works after moving the lines added before the explicit deny.
Thanks a lot.
Thanks a lot.