[c-nsp] ASA bug?
Peter Rathlev
peter at rathlev.dk
Tue Jan 25 11:27:08 EST 2011
On Tue, 2011-01-25 at 10:48 -0500, Greg Whynott wrote:
[...]
> capture cap1 access-list capacl1 interface newdmz real-time
[...]
> I see packets egressing the dmz interface into the dmz zone… In my
> mind this is not a firewall issue as the packets are being forwarded
> into the zone, as expected.
>
> the reality is there was a "deny ip any any into newzone" applied to
> the outside interface. I should not of seen these packets when
> running a capture on the dmz interface, correct? this caused me to
> spin my wheels on this for 1/2 a day till I noticed the acl in the
> outside_in section…
>
> soon as I removed the acl element from the outside_in, things
> worked..
That does sound strange. Just tried something similar on an ASA 5550
8.2(4) with no problems; the capture shows/doesn't show the expected
packets fine.
You didn't mention platform and version, which is always a good thing if
you want people to test it on something similar.
Can you recreate this on another pair of interfaces on the same box,
i.e. not towards the "dmz" interface mentioned here? And can you
recreate it on the same interface?
--
Peter
More information about the cisco-nsp
mailing list