[c-nsp] ASA bug?

Max Pierson nmaxpierson at gmail.com
Tue Jan 25 12:14:58 EST 2011 

Hi Greg,

That does look quite strange indeed. As Peter said, it would be much more
helpful if you could send what code you're working on. We we're on 8.2.(1 i
believe) and never had any issues similar to what you described. Had to move
to 8.3 due to the SSL licensing issue, and now on 8.3.2 (still have not  had
any issues after I fixed Cisco's wonderful mess it made of my tunnels on the
config conversion) but that's another story ....

I hear ya about having alot of config to look through. Management wanted to
do the "pay as we grow" and went with a 5540 to start. We're now on our
second .... so you could imagine the amount of config we had (almost 100 or
so tunnels and to many to remember DMZ's with hundreds of lines of ACL's).
Needless to say, I love the cli, but when you have to scale like that, it's
just easier on the eyes (and mind lol) to just use the ASDM.

As far as your issue, I see that you mention "initially had deny any any" on
the "outside -> DMZ" , then towards the bottom of your post, you say that
you removed "outside_in". Do you mean "outside -> said DMZ" was remove at
the bottom and all started working??

Or did you remove an ACL in that zone set "outside to inside" and it fixed
the issue??

Can the host in this DMZ get packets out and if so, what are you seeing when
they attempt to come back in the outside interface??

Max




On Tue, Jan 25, 2011 at 10:27 AM, Peter Rathlev <peter at rathlev.dk> wrote:

> On Tue, 2011-01-25 at 10:48 -0500, Greg Whynott wrote:
> [...]
> > capture cap1 access-list capacl1 interface newdmz real-time
> [...]
> > I see packets egressing the dmz interface into the dmz zone…    In my
> > mind this is not a firewall issue as the packets are being forwarded
> > into the zone,  as expected.
> >
> > the reality is there was a "deny ip any any into newzone" applied to
> > the outside interface.   I should not of seen these packets when
> > running a capture on the dmz interface, correct?  this caused me to
> > spin my wheels on this for 1/2 a day till I noticed the acl in the
> > outside_in section…
> >
> > soon as I removed the acl element from the outside_in,  things
> > worked..
>
> That does sound strange. Just tried something similar on an ASA 5550
> 8.2(4) with no problems; the capture shows/doesn't show the expected
> packets fine.
>
> You didn't mention platform and version, which is always a good thing if
> you want people to test it on something similar.
>
> Can you recreate this on another pair of interfaces on the same box,
> i.e. not towards the "dmz" interface mentioned here? And can you
> recreate it on the same interface?
>
> --
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list