• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 386
  • Last Modified:

ASA 5510 error message

Hi Experts,
I have ASA 5510 and got an error when I try to access from inside to DMZ. I am accessing from inside my workstation to windows 2008 server on ESXi 4.0(sonic) in DMZ-WEB

4      Sep 07 2011      16:00:17      106023      10.10.0.190      51334      Server-sonic      902      Deny tcp src inside:10.10.0.190/51334 dst dmz-web:Server-sonic/902 by access-group "inside_access_in" [0x0, 0x0]

So I think I open the port but still a no go. ASA 5510 is new to me so can anyone let me know how to add ACL so I can access to it? Also I need to access SSH to sonic because it is linux. I am using Cisco ASDM 6.2

Thanks in advance
0
Ksean
Asked:
Ksean
3 Solutions
 
genie4allCommented:
Hi,

There must be a deny statement before the allow statement. Create or move the allow statement to top of the list.

If the above doesn't help, provide your ACL's.

Regards,
0
 
jmeggersSr. Network and Security EngineerCommented:
Agreed, the error message specifically mentions your inside-interface ACL.  You need to permit what you want (or remove that ACL altogether) and as long as the traffic is stateful (ICMP is not), the DMZ interface should let return traffic in.  The way the ASA works, traffic is allowed or denied based on interface "trust" or security-level; the interface named "inside" has a default security level of 100 (most trusted) and the interface named "outside" has a default security level of 0 (least trusted).  (If you use interface names the ASA doesn't know how to interpret, it will set the security level at 0 but you can set them yourself.)  The values themselves are meaningless, they are only relative to the values on the other interfaces.  So the relationship of the values used on your inside and DMZ interfaces could play into this.
0
 
Ernie BeekExpertCommented:
As said, check your inside_access_in access list. If you manually add a rule it will be put at the end of the access list. Access lists are always processed top-down until there is a match. Once a match has been found that specific rule will be applied and the processing og the access list stops. So if there is a deny (all) in between, that will always be a match and the rest of the list will never be processed.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
KseanAuthor Commented:
still doesn't work. the security level of inside is 100 and 50 for Web-dmz so I do not need any ACL from inside to Web-dmz. so I opened port 902 for server-sonic. source is server-sonic and destination is my workstation. Do I need NAT rules for this?
0
 
Ernie BeekExpertCommented:
Well the error states that the blocking is done by the inside_access_in list........
Could you post a sanitized config?
0
 
KseanAuthor Commented:
Thank you every one. I got it working to create ACL as the following

access-list inside_access_in extended permit object-group TCPUDP Clients 255.255.254.0 host Server-sonic eq 902.

Now I can access Windows 2008 server(A) on VMware ESXi 4.0(B) but from windows 2008 server, I can ping other server in DMZ but cannot ping any other server other than DMZ.
I opened ports all icmp in DMZ to inside but a no go. Do I have to open for VMware or windows server? Do I need any NAT rule for this?

Thanks in advance
0
 
Ernie BeekExpertCommented:
The last question remains:
Could you post a sanitized config?
0
 
KseanAuthor Commented:
Unfortunatly I cannot post the config. Can you give me a tip so I can just try?
0
 
Ernie BeekExpertCommented:
You also have an inside_access_in list, did you allow icmp in there?
What are the ASA logs showing when you try to ping?
0
 
KseanAuthor Commented:
Inside security level is higher than dmz. Do I still need to open ICMP from Inside to dmz? I don't get any log when I set the filter for only this server ip address.
0
 
Ernie BeekExpertCommented:
You have an access list set up for the inside interface. access lists always end with an implicit 'deny all'. So everything that isn't explicitly allowed is blocked.....

Don't filter too specific, sometimes you might miss something :)
0
 
KseanAuthor Commented:
I got an idea by you guys to fix my problem so you guys deserve the point. Thanks all
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now