Cisco ASA - Access List Problem

Hey Guys,

I'm having a problem with what I think is my access-lists on a ASA5510.

You can see from a packet trace that its not allowing any http or any other packets through the "GUEST" interface

DOHASA# packet-tracer input GUEST TCP 10.50.250.10 9 173.194.34.0 http  detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad9ab300, priority=1, domain=permit, deny=false
        hits=4012, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=GUEST, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         WAN

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb5fc0e68, priority=110, domain=permit, deny=true
        hits=17, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=GUEST, output_ifc=any

Result:
input-interface: GUEST
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window



Heres the access lists

DOHASA# show access-list GUEST_access_in
access-list GUEST_access_in; 2 elements; name hash: 0xc1bf5484
access-list GUEST_access_in line 1 extended permit ip any any (hitcnt=2) 0xd3a69d38
access-list GUEST_access_in line 2 extended permit tcp any any eq www (hitcnt=0) 0x3c9c1560

Open in new window



and also the NAT config for the interface.

DOHASA# show nat detail
3 (GUEST) to (WAN) source dynamic DOH_GWLAN interface
    translate_hits = 1193, untranslate_hits = 0
    Source - Origin: 10.50.250.0/25, Translated: 89.xx.xx.xx/24

Open in new window

LVL 2
supportemeaAsked:
Who is Participating?
 
supportemeaConnect With a Mentor Author Commented:
Max - Its an ASA not a router.


Figured it out though... The Security level on the interface was 0... changed this to 100 and away it went


interface Ethernet0/3
 nameif GUEST
 security-level 100
 ip address 10.50.250.1 255.255.255.128
0
 
max_the_kingCommented:
hi,
did you apply that access-list on an interface ?

example: access-group GUEST_access_in in interface inside

max
0
 
max_the_kingCommented:
if your interface is named GUEST

access-group GUEST_access_in in interface GUEST

max
0
 
max_the_kingCommented:
suppoertemea,
indeed it is an ASA, you should apply that access-group command or it will never work

max
0
 
supportemeaAuthor Commented:
Figured it out though... The Security level on the interface was 0... changed this to 100 and away it went


interface Ethernet0/3
 nameif GUEST
 security-level 100
 ip address 10.50.250.1 255.255.255.128
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.