I ran into a strange issue with a Cisco ASA firewall today. The firewall was not passing traffic to the internal host although I had the static statement configured and access-lists allowing incoming traffic.

    static (inside,outside) tcp 12.34.56.78 smtp 10.1.1.50 smtp netmask 255.255.255.255
    access-list acl_outside permit tcp any host 12.34.56.78 eq 25

    access-group acl_outside in interface outside

 

 

With the logging level set at 5, I did not see anything in the logs. I just noticed the access-list counters were not incrementing and the connection wasn’t working. I changed the logging level to 7 and started seeing the following error message:

    Oct 25 2007 16:30:16: %ASA-7-710005: TCP request discarded from 4.4.4.4/42977 to outside: 12.34.56.78/25

The problem was that I configured the static statement with the public ip address of the outside interface instead of the ‘interface’ keyword.

   Incorrect:
    static (inside,outside) tcp 12.34.56.78 smtp 10.1.1.50 smtp netmask 255.255.255.255

 

    Correct:
   
static (inside,outside) tcp interface smtp 10.1.1.50 smtp netmask 255.255.255.255

 

Be Sociable, Share!