[c-nsp] ASA bug?

Greg Whynott Greg.Whynott at oicr.on.ca
Tue Jan 25 12:14:17 EST 2011 

sorry you are correct, that would of been useful information.     I also neglected to mention that we ran tcpdump on the target machine within the DMZ,  the packets were not actually leaving the fw interface,  even tho the capture indicated they were.

I have a second ASA5540 not in use (is for a redundancy project),  if i get some cycles this week i'll apply the same config/OS to it and avoid filling out change control requests..


Cisco Adaptive Security Appliance Software Version 8.2(2)5
Device Manager Version 6.2(5)

Compiled on Wed 03-Feb-10 20:02 by builders
System image file is "disk0:/asa822-5-smp-k8.bin"

Hardware:   ASA5580-20, 8192 MB RAM, CPU AMD Opteron 2600 MHz


-g






On Jan 25, 2011, at 11:27 AM, Peter Rathlev wrote:

> On Tue, 2011-01-25 at 10:48 -0500, Greg Whynott wrote:
> [...]
>> capture cap1 access-list capacl1 interface newdmz real-time
> [...]
>> I see packets egressing the dmz interface into the dmz zone…    In my
>> mind this is not a firewall issue as the packets are being forwarded
>> into the zone,  as expected.
>>
>> the reality is there was a "deny ip any any into newzone" applied to
>> the outside interface.   I should not of seen these packets when
>> running a capture on the dmz interface, correct?  this caused me to
>> spin my wheels on this for 1/2 a day till I noticed the acl in the
>> outside_in section…
>>
>> soon as I removed the acl element from the outside_in,  things
>> worked..
>
> That does sound strange. Just tried something similar on an ASA 5550
> 8.2(4) with no problems; the capture shows/doesn't show the expected
> packets fine.
>
> You didn't mention platform and version, which is always a good thing if
> you want people to test it on something similar.
>
> Can you recreate this on another pair of interfaces on the same box,
> i.e. not towards the "dmz" interface mentioned here? And can you
> recreate it on the same interface?
>
> --
> Peter
>
>


--

This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.

More information about the cisco-nsp mailing list