Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA - Access List Problem

Posted on 2012-03-13
5
Medium Priority
?
2,221 Views
Last Modified: 2012-06-27
Hey Guys,

I'm having a problem with what I think is my access-lists on a ASA5510.

You can see from a packet trace that its not allowing any http or any other packets through the "GUEST" interface

DOHASA# packet-tracer input GUEST TCP 10.50.250.10 9 173.194.34.0 http  detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad9ab300, priority=1, domain=permit, deny=false
        hits=4012, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=GUEST, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         WAN

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb5fc0e68, priority=110, domain=permit, deny=true
        hits=17, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=GUEST, output_ifc=any

Result:
input-interface: GUEST
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window



Heres the access lists

DOHASA# show access-list GUEST_access_in
access-list GUEST_access_in; 2 elements; name hash: 0xc1bf5484
access-list GUEST_access_in line 1 extended permit ip any any (hitcnt=2) 0xd3a69d38
access-list GUEST_access_in line 2 extended permit tcp any any eq www (hitcnt=0) 0x3c9c1560

Open in new window



and also the NAT config for the interface.

DOHASA# show nat detail
3 (GUEST) to (WAN) source dynamic DOH_GWLAN interface
    translate_hits = 1193, untranslate_hits = 0
    Source - Origin: 10.50.250.0/25, Translated: 89.xx.xx.xx/24

Open in new window

0
Comment
Question by:supportemea
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 17

Expert Comment

by:max_the_king
ID: 37714659
hi,
did you apply that access-list on an interface ?

example: access-group GUEST_access_in in interface inside

max
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 37714666
if your interface is named GUEST

access-group GUEST_access_in in interface GUEST

max
0
 
LVL 2

Accepted Solution

by:
supportemea earned 0 total points
ID: 37714729
Max - Its an ASA not a router.


Figured it out though... The Security level on the interface was 0... changed this to 100 and away it went


interface Ethernet0/3
 nameif GUEST
 security-level 100
 ip address 10.50.250.1 255.255.255.128
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 37714906
suppoertemea,
indeed it is an ASA, you should apply that access-group command or it will never work

max
0
 
LVL 2

Author Closing Comment

by:supportemea
ID: 37734350
Figured it out though... The Security level on the interface was 0... changed this to 100 and away it went


interface Ethernet0/3
 nameif GUEST
 security-level 100
 ip address 10.50.250.1 255.255.255.128
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question