Access-list not working properly on ASA

I have an ACL in place that is supposed to prevent all smtp traffic from inside minus a few hosts from going outbound. For some reason my deny statement in line 7 isn't taking effect and smtp traffic from any host inside is allowed. What am I missing?

access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp
access-list inside_access_in line 7 extended deny tcp any any eq smtp
access-list inside_access_in line 8 extended permit ip any any
mulkeyincAsked:
Who is Participating?
 
mulkeyincAuthor Commented:
Restarting the ASA fixed it. The ACL is now working properly. No config change was required.
0
 
giltjrCommented:
Can you post the config of the interface that you have this access list applied to?

You have the description of "inside_access_in", which would imply that this is applied to inbound traffic on the interface "inside".

Based on the way you have it coded it should be applied to outbound traffic on the inside interface.
0
 
mulkeyincAuthor Commented:
It is applied inbound on the inside interface. I'm not following why this is incorrect?

Traffic from internal LAN incoming to ASA on inside interface.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
giltjrCommented:
My fault, I was think backwards.

If you do a show for that access list are the other rules getting hit?

Are those the only ACL's in that list?
0
 
mulkeyincAuthor Commented:
Yes, other rules are being hit.

Yes, those are all the ACLs in that list.

The interface config: access-group inside_access_in in interface inside

It is strange. I've configured thousands of ACLs and this one has my puzzled. It's like it's there, just not taking effect.

Thanks for the assistance btw.
0
 
mulkeyincAuthor Commented:
Just cleared the counters and already seeing hits yet I can send a packet from any host on port 25 despite my deny statement. If packet tracer in ASDM is goes through as well.

ASA# show access-list inside_access_in          
access-list inside_access_in; 8 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit tcp host 10.10.1.3 any eq smtp (hitcnt=3) 0x2f2ad7d3
access-list inside_access_in line 2 extended permit tcp host 10.10.1.92 any eq smtp (hitcnt=0) 0xfcb2c0be
access-list inside_access_in line 3 extended permit tcp host 10.1.1.200 any eq smtp (hitcnt=0) 0xb3096646
access-list inside_access_in line 4 extended permit tcp host 10.2.1.2 any eq smtp (hitcnt=0) 0xbbf01bf9
access-list inside_access_in line 5 extended permit tcp host 10.2.1.202 any eq smtp (hitcnt=0) 0x785e99e7
access-list inside_access_in line 6 extended permit tcp host 10.7.1.150 any eq smtp (hitcnt=0) 0xb773c1ec
access-list inside_access_in line 7 extended deny tcp any any eq smtp (hitcnt=0) 0xe3de3aa9
access-list inside_access_in line 8 extended permit ip any any (hitcnt=19887) 0xa925365e
0
 
giltjrCommented:
Although it should not matter the only think I can think of trying is to replace your deny with

access-list inside_access_in line 7 extended deny tcp any gt 1023 any eq smtp
0
 
mulkeyincAuthor Commented:
It's weird. I removed lines 1-7 and then reapplied entire ACL. Now the only hits I am getting is on permit ip any any statement.
0
 
giltjrCommented:
Well, we are still running PIX and that is old, we don't change it that much because it is for "B2B" direct ip link (not through the Internet).  We are getting ready to be retired, but last I knew the access list is supposed to be processed in the order of the line numbers.

We don't code any denies.  If it is not explicitly allowed, its automatically denied so we don't have any denies in our ACL's.

Now I did see something like that on a old 3550 switch where we had to remove the whole access list and add it back, not sure what occurred there, but we had made a ton of changes and things started to get whacked out and we could not reload.  We figured it was a memory corruption issue.

Got to go home will check later tonight to see if you made any progress.
0
 
mulkeyincAuthor Commented:
Thanks. I have deployed many ASAs and never ran into this problem. I'm going to reboot the device when I can to see if that does the trick.
0
 
TimotiStDatacenter TechnicianCommented:
Any NAT configured on that PIX?
0
 
giltjrCommented:
Weird.  Glad it's working.
0
 
mulkeyincAuthor Commented:
Solved my own issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.