Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASA 5510 error message

Posted on 2011-09-07
12
Medium Priority
?
383 Views
Last Modified: 2012-05-12
Hi Experts,
I have ASA 5510 and got an error when I try to access from inside to DMZ. I am accessing from inside my workstation to windows 2008 server on ESXi 4.0(sonic) in DMZ-WEB

4      Sep 07 2011      16:00:17      106023      10.10.0.190      51334      Server-sonic      902      Deny tcp src inside:10.10.0.190/51334 dst dmz-web:Server-sonic/902 by access-group "inside_access_in" [0x0, 0x0]

So I think I open the port but still a no go. ASA 5510 is new to me so can anyone let me know how to add ACL so I can access to it? Also I need to access SSH to sonic because it is linux. I am using Cisco ASDM 6.2

Thanks in advance
0
Comment
Question by:Ksean
12 Comments
 
LVL 2

Assisted Solution

by:genie4all
genie4all earned 400 total points
ID: 36499507
Hi,

There must be a deny statement before the allow statement. Create or move the allow statement to top of the list.

If the above doesn't help, provide your ACL's.

Regards,
0
 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 400 total points
ID: 36499901
Agreed, the error message specifically mentions your inside-interface ACL.  You need to permit what you want (or remove that ACL altogether) and as long as the traffic is stateful (ICMP is not), the DMZ interface should let return traffic in.  The way the ASA works, traffic is allowed or denied based on interface "trust" or security-level; the interface named "inside" has a default security level of 100 (most trusted) and the interface named "outside" has a default security level of 0 (least trusted).  (If you use interface names the ASA doesn't know how to interpret, it will set the security level at 0 but you can set them yourself.)  The values themselves are meaningless, they are only relative to the values on the other interfaces.  So the relationship of the values used on your inside and DMZ interfaces could play into this.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501032
As said, check your inside_access_in access list. If you manually add a rule it will be put at the end of the access list. Access lists are always processed top-down until there is a match. Once a match has been found that specific rule will be applied and the processing og the access list stops. So if there is a deny (all) in between, that will always be a match and the rest of the list will never be processed.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 

Author Comment

by:Ksean
ID: 36503461
still doesn't work. the security level of inside is 100 and 50 for Web-dmz so I do not need any ACL from inside to Web-dmz. so I opened port 902 for server-sonic. source is server-sonic and destination is my workstation. Do I need NAT rules for this?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36503565
Well the error states that the blocking is done by the inside_access_in list........
Could you post a sanitized config?
0
 

Author Comment

by:Ksean
ID: 36511122
Thank you every one. I got it working to create ACL as the following

access-list inside_access_in extended permit object-group TCPUDP Clients 255.255.254.0 host Server-sonic eq 902.

Now I can access Windows 2008 server(A) on VMware ESXi 4.0(B) but from windows 2008 server, I can ping other server in DMZ but cannot ping any other server other than DMZ.
I opened ports all icmp in DMZ to inside but a no go. Do I have to open for VMware or windows server? Do I need any NAT rule for this?

Thanks in advance
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36511178
The last question remains:
Could you post a sanitized config?
0
 

Author Comment

by:Ksean
ID: 36511321
Unfortunatly I cannot post the config. Can you give me a tip so I can just try?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36511355
You also have an inside_access_in list, did you allow icmp in there?
What are the ASA logs showing when you try to ping?
0
 

Author Comment

by:Ksean
ID: 36511746
Inside security level is higher than dmz. Do I still need to open ICMP from Inside to dmz? I don't get any log when I set the filter for only this server ip address.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1200 total points
ID: 36511938
You have an access list set up for the inside interface. access lists always end with an implicit 'deny all'. So everything that isn't explicitly allowed is blocked.....

Don't filter too specific, sometimes you might miss something :)
0
 

Author Closing Comment

by:Ksean
ID: 36524673
I got an idea by you guys to fix my problem so you guys deserve the point. Thanks all
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
In this article will go through how to backup a vPostgres DB from a broken vCenter Appliance and restore to a new vCenter Appliance.
Teach the user how to edit .vmx files to add advanced configuration options Open vSphere Web Client: Edit Settings for a VM: Choose VM Options -> Advanced: Add Configuration Parameters:
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question