Solved

Cisco ASA - Access List Problem

Posted on 2012-03-13
5
1,890 Views
Last Modified: 2012-06-27
Hey Guys,

I'm having a problem with what I think is my access-lists on a ASA5510.

You can see from a packet trace that its not allowing any http or any other packets through the "GUEST" interface

DOHASA# packet-tracer input GUEST TCP 10.50.250.10 9 173.194.34.0 http  detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad9ab300, priority=1, domain=permit, deny=false
        hits=4012, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=GUEST, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         WAN

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xb5fc0e68, priority=110, domain=permit, deny=true
        hits=17, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=GUEST, output_ifc=any

Result:
input-interface: GUEST
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window



Heres the access lists

DOHASA# show access-list GUEST_access_in
access-list GUEST_access_in; 2 elements; name hash: 0xc1bf5484
access-list GUEST_access_in line 1 extended permit ip any any (hitcnt=2) 0xd3a69d38
access-list GUEST_access_in line 2 extended permit tcp any any eq www (hitcnt=0) 0x3c9c1560

Open in new window



and also the NAT config for the interface.

DOHASA# show nat detail
3 (GUEST) to (WAN) source dynamic DOH_GWLAN interface
    translate_hits = 1193, untranslate_hits = 0
    Source - Origin: 10.50.250.0/25, Translated: 89.xx.xx.xx/24

Open in new window

0
Comment
Question by:supportemea
  • 3
  • 2
5 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 37714659
hi,
did you apply that access-list on an interface ?

example: access-group GUEST_access_in in interface inside

max
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 37714666
if your interface is named GUEST

access-group GUEST_access_in in interface GUEST

max
0
 
LVL 2

Accepted Solution

by:
supportemea earned 0 total points
ID: 37714729
Max - Its an ASA not a router.


Figured it out though... The Security level on the interface was 0... changed this to 100 and away it went


interface Ethernet0/3
 nameif GUEST
 security-level 100
 ip address 10.50.250.1 255.255.255.128
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 37714906
suppoertemea,
indeed it is an ASA, you should apply that access-group command or it will never work

max
0
 
LVL 2

Author Closing Comment

by:supportemea
ID: 37734350
Figured it out though... The Security level on the interface was 0... changed this to 100 and away it went


interface Ethernet0/3
 nameif GUEST
 security-level 100
 ip address 10.50.250.1 255.255.255.128
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius Debug Error 16 89
How to setup 3 isps on a redundant mode? 3 28
Cisco ASA dns and browsing 20 32
Connecting a New Subnet to Network 4 28
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question