I ran into a strange issue with a Cisco ASA firewall today. The firewall was not passing traffic to the internal host although I had the static statement configured and access-lists allowing incoming traffic.

    static (inside,outside) tcp smtp smtp netmask
    access-list acl_outside permit tcp any host eq 25

    access-group acl_outside in interface outside



With the logging level set at 5, I did not see anything in the logs. I just noticed the access-list counters were not incrementing and the connection wasn’t working. I changed the logging level to 7 and started seeing the following error message:

    Oct 25 2007 16:30:16: %ASA-7-710005: TCP request discarded from to outside:

The problem was that I configured the static statement with the public ip address of the outside interface instead of the ‘interface’ keyword.

    static (inside,outside) tcp smtp smtp netmask


static (inside,outside) tcp interface smtp smtp netmask


Be Sociable, Share!