Solved

ASA 5510 error message

Posted on 2011-09-07
12
375 Views
Last Modified: 2012-05-12
Hi Experts,
I have ASA 5510 and got an error when I try to access from inside to DMZ. I am accessing from inside my workstation to windows 2008 server on ESXi 4.0(sonic) in DMZ-WEB

4      Sep 07 2011      16:00:17      106023      10.10.0.190      51334      Server-sonic      902      Deny tcp src inside:10.10.0.190/51334 dst dmz-web:Server-sonic/902 by access-group "inside_access_in" [0x0, 0x0]

So I think I open the port but still a no go. ASA 5510 is new to me so can anyone let me know how to add ACL so I can access to it? Also I need to access SSH to sonic because it is linux. I am using Cisco ASDM 6.2

Thanks in advance
0
Comment
Question by:Ksean
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 2

Assisted Solution

by:genie4all
genie4all earned 100 total points
ID: 36499507
Hi,

There must be a deny statement before the allow statement. Create or move the allow statement to top of the list.

If the above doesn't help, provide your ACL's.

Regards,
0
 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 100 total points
ID: 36499901
Agreed, the error message specifically mentions your inside-interface ACL.  You need to permit what you want (or remove that ACL altogether) and as long as the traffic is stateful (ICMP is not), the DMZ interface should let return traffic in.  The way the ASA works, traffic is allowed or denied based on interface "trust" or security-level; the interface named "inside" has a default security level of 100 (most trusted) and the interface named "outside" has a default security level of 0 (least trusted).  (If you use interface names the ASA doesn't know how to interpret, it will set the security level at 0 but you can set them yourself.)  The values themselves are meaningless, they are only relative to the values on the other interfaces.  So the relationship of the values used on your inside and DMZ interfaces could play into this.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501032
As said, check your inside_access_in access list. If you manually add a rule it will be put at the end of the access list. Access lists are always processed top-down until there is a match. Once a match has been found that specific rule will be applied and the processing og the access list stops. So if there is a deny (all) in between, that will always be a match and the rest of the list will never be processed.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:Ksean
ID: 36503461
still doesn't work. the security level of inside is 100 and 50 for Web-dmz so I do not need any ACL from inside to Web-dmz. so I opened port 902 for server-sonic. source is server-sonic and destination is my workstation. Do I need NAT rules for this?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36503565
Well the error states that the blocking is done by the inside_access_in list........
Could you post a sanitized config?
0
 

Author Comment

by:Ksean
ID: 36511122
Thank you every one. I got it working to create ACL as the following

access-list inside_access_in extended permit object-group TCPUDP Clients 255.255.254.0 host Server-sonic eq 902.

Now I can access Windows 2008 server(A) on VMware ESXi 4.0(B) but from windows 2008 server, I can ping other server in DMZ but cannot ping any other server other than DMZ.
I opened ports all icmp in DMZ to inside but a no go. Do I have to open for VMware or windows server? Do I need any NAT rule for this?

Thanks in advance
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36511178
The last question remains:
Could you post a sanitized config?
0
 

Author Comment

by:Ksean
ID: 36511321
Unfortunatly I cannot post the config. Can you give me a tip so I can just try?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36511355
You also have an inside_access_in list, did you allow icmp in there?
What are the ASA logs showing when you try to ping?
0
 

Author Comment

by:Ksean
ID: 36511746
Inside security level is higher than dmz. Do I still need to open ICMP from Inside to dmz? I don't get any log when I set the filter for only this server ip address.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 300 total points
ID: 36511938
You have an access list set up for the inside interface. access lists always end with an implicit 'deny all'. So everything that isn't explicitly allowed is blocked.....

Don't filter too specific, sometimes you might miss something :)
0
 

Author Closing Comment

by:Ksean
ID: 36524673
I got an idea by you guys to fix my problem so you guys deserve the point. Thanks all
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If we need to check who deleted a Virtual Machine from our vCenter. Looking this task in logs can be painful and spend lot of time, so the best way to check this is in the vCenter DB. Just connect to vCenter DB(default DB should be VCDB and using…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question