Solved

ASA 5510 error message

Posted on 2011-09-07
12
366 Views
Last Modified: 2012-05-12
Hi Experts,
I have ASA 5510 and got an error when I try to access from inside to DMZ. I am accessing from inside my workstation to windows 2008 server on ESXi 4.0(sonic) in DMZ-WEB

4      Sep 07 2011      16:00:17      106023      10.10.0.190      51334      Server-sonic      902      Deny tcp src inside:10.10.0.190/51334 dst dmz-web:Server-sonic/902 by access-group "inside_access_in" [0x0, 0x0]

So I think I open the port but still a no go. ASA 5510 is new to me so can anyone let me know how to add ACL so I can access to it? Also I need to access SSH to sonic because it is linux. I am using Cisco ASDM 6.2

Thanks in advance
0
Comment
Question by:Ksean
12 Comments
 
LVL 2

Assisted Solution

by:genie4all
genie4all earned 100 total points
ID: 36499507
Hi,

There must be a deny statement before the allow statement. Create or move the allow statement to top of the list.

If the above doesn't help, provide your ACL's.

Regards,
0
 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 100 total points
ID: 36499901
Agreed, the error message specifically mentions your inside-interface ACL.  You need to permit what you want (or remove that ACL altogether) and as long as the traffic is stateful (ICMP is not), the DMZ interface should let return traffic in.  The way the ASA works, traffic is allowed or denied based on interface "trust" or security-level; the interface named "inside" has a default security level of 100 (most trusted) and the interface named "outside" has a default security level of 0 (least trusted).  (If you use interface names the ASA doesn't know how to interpret, it will set the security level at 0 but you can set them yourself.)  The values themselves are meaningless, they are only relative to the values on the other interfaces.  So the relationship of the values used on your inside and DMZ interfaces could play into this.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501032
As said, check your inside_access_in access list. If you manually add a rule it will be put at the end of the access list. Access lists are always processed top-down until there is a match. Once a match has been found that specific rule will be applied and the processing og the access list stops. So if there is a deny (all) in between, that will always be a match and the rest of the list will never be processed.
0
 

Author Comment

by:Ksean
ID: 36503461
still doesn't work. the security level of inside is 100 and 50 for Web-dmz so I do not need any ACL from inside to Web-dmz. so I opened port 902 for server-sonic. source is server-sonic and destination is my workstation. Do I need NAT rules for this?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36503565
Well the error states that the blocking is done by the inside_access_in list........
Could you post a sanitized config?
0
 

Author Comment

by:Ksean
ID: 36511122
Thank you every one. I got it working to create ACL as the following

access-list inside_access_in extended permit object-group TCPUDP Clients 255.255.254.0 host Server-sonic eq 902.

Now I can access Windows 2008 server(A) on VMware ESXi 4.0(B) but from windows 2008 server, I can ping other server in DMZ but cannot ping any other server other than DMZ.
I opened ports all icmp in DMZ to inside but a no go. Do I have to open for VMware or windows server? Do I need any NAT rule for this?

Thanks in advance
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36511178
The last question remains:
Could you post a sanitized config?
0
 

Author Comment

by:Ksean
ID: 36511321
Unfortunatly I cannot post the config. Can you give me a tip so I can just try?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36511355
You also have an inside_access_in list, did you allow icmp in there?
What are the ASA logs showing when you try to ping?
0
 

Author Comment

by:Ksean
ID: 36511746
Inside security level is higher than dmz. Do I still need to open ICMP from Inside to dmz? I don't get any log when I set the filter for only this server ip address.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 300 total points
ID: 36511938
You have an access list set up for the inside interface. access lists always end with an implicit 'deny all'. So everything that isn't explicitly allowed is blocked.....

Don't filter too specific, sometimes you might miss something :)
0
 

Author Closing Comment

by:Ksean
ID: 36524673
I got an idea by you guys to fix my problem so you guys deserve the point. Thanks all
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now