Access-list not working properly on ASA

Can you post the config of the interface that you have this access list applied to?

You have the description of "inside_access_in", which would imply that this is applied to inbound traffic on the interface "inside".

Based on the way you have it coded it should be applied to outbound traffic on the inside interface.

It is applied inbound on the inside interface. I'm not following why this is incorrect?

Traffic from internal LAN incoming to ASA on inside interface.

My fault, I was think backwards.

If you do a show for that access list are the other rules getting hit?

Are those the only ACL's in that list?

Yes, other rules are being hit.

Yes, those are all the ACLs in that list.

The interface config: access-group inside_access_in in interface inside

It is strange. I've configured thousands of ACLs and this one has my puzzled. It's like it's there, just not taking effect.

Thanks for the assistance btw.

Just cleared the counters and already seeing hits yet I can send a packet from any host on port 25 despite my deny statement. If packet tracer in ASDM is goes through as well.

ASA# show access-list inside_access_in          
access-list inside_access_in; 8 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp (hitcnt=3) 0x2f2ad7d3
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp (hitcnt=0) 0xfcb2c0be
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp (hitcnt=0) 0xb3096646
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp (hitcnt=0) 0xbbf01bf9
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp (hitcnt=0) 0x785e99e7
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp (hitcnt=0) 0xb773c1ec
access-list inside_access_in line 7 extended deny tcp any any eq smtp (hitcnt=0) 0xe3de3aa9
access-list inside_access_in line 8 extended permit ip any any (hitcnt=19887) 0xa925365e

Although it should not matter the only think I can think of trying is to replace your deny with

access-list inside_access_in line 7 extended deny tcp any gt 1023 any eq smtp

It's weird. I removed lines 1-7 and then reapplied entire ACL. Now the only hits I am getting is on permit ip any any statement.

Well, we are still running PIX and that is old, we don't change it that much because it is for "B2B" direct ip link (not through the Internet).  We are getting ready to be retired, but last I knew the access list is supposed to be processed in the order of the line numbers.

We don't code any denies.  If it is not explicitly allowed, its automatically denied so we don't have any denies in our ACL's.

Now I did see something like that on a old 3550 switch where we had to remove the whole access list and add it back, not sure what occurred there, but we had made a ton of changes and things started to get whacked out and we could not reload.  We figured it was a memory corruption issue.

Got to go home will check later tonight to see if you made any progress.

Thanks. I have deployed many ASAs and never ran into this problem. I'm going to reboot the device when I can to see if that does the trick.

Any NAT configured on that PIX?

Weird.  Glad it's working.

Solved my own issue.