• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1151
  • Last Modified:

ASA 5510 Firewall Cisco - ACL deny tcp

Dear all,
i have trouble of one of my inside host (NY_srvnwtny) connecting to a external host on the internet (NY_Comme) via tcp port 22. attached is a picture i have on asdm. it is telling me that inside_access_in acl is denying that traffic. however i  have added some line in that acl like this one.
Access-list inside_access_in line 50 remark to Transfers to NY_comme
access-list inside_access_in line 51 extended permit object-group TCPUDP host NY_srvnwtny host NY_comme eq 22
access-list inside_access_in line 51 extended permit udp host NY_srvnwtny host NY_comme eq 22
access-list inside_access_in line 51 extebded permit tcp host NY_srvnwtny host NY_comme eq ssh
Thanks for your comments. logging screen
0
Faustino-12
Asked:
Faustino-12
1 Solution
 
SaineolaiCommented:
Do you have a deny statement for this traffic in any of the earlier lines in the inside_access_in access list?
0
 
Faustino-12Author Commented:
here are my last line on this acl when i do the following command: show access-list inside_access_in
access-list inside_access_in line 48 remark Log Dropped Packets
access-list inside_access_in line 49 extended deny ip any any (hitcnt=3728424) 0xbe9efe96
access-list inside_access_in line 50 remark To Transfers to NY_Comme
access-list inside_access_in line 51 extended permit object-group TCPUDP host NY_srvnwtny host NY_Comme eq 22 0x4d259085
  access-list inside_access_in line 51 extended permit udp host NY_srvnwtny host NY_Comme eq 22 (hitcnt=0) 0x38c2f370
  access-list inside_access_in line 51 extended permit tcp host NY_srvnwtny host NY_Comme eq ssh (hitcnt=0) 0x65958558
0
 
MikeKaneCommented:
Can we see the *entire* ACL called inside_access_in?     The order of the lines is very important as all ACLs are evaluated from top down.  If any 1 line matches, processing stops.    If there is a deny statement that matches the traffic before the allow statement, then the traffic will be dropped.  

0
 
akhilwCommented:
The acl entry
access-list inside_access_in line 49 extended deny ip any any (hitcnt=3728424) 0xbe9efe96
 is dropping the packets. You can change the sequence# of this "deny any any" ACE from 49 to 52 and it should work.

#no access-list inside_access_in line 49 extended deny ip any any
#access-list inside_access_in line 52 extended deny ip any any

Open in new window

0
 
Faustino-12Author Commented:
yes. that was right. it works after moving the lines added before the explicit deny.
Thanks a lot.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now