1. Home
  2. Cisco Systems
  3. Which ACL is blocking traffic

Which ACL is blocking traffic

Hello,

I am trying to figure out wich access list is blocking my attempts to connect to a ASA5500 via Cisco ASDM Launcher. On the console of the ASA I am getting the following when I attempt to lauch the ASDM:

%ASA-3-710003: TCP access denied by ACL from 172.16.

5.133/1983 to inside:172.16.5.201/443 %ASA-3-710003: TCP access denied by ACL from 172.16.5.133/1983 to inside:172.16. 5.201/443

The ASA has dozens of access lists but I dont know which one is stopping me. How can I tell which ACL is affecting this kind of traffic??

Thanks,

Pedro

Reply to
Pedro89
Loading thread data ...

Paste your access lists.......or add logging onto them and watch the counters.

Reply to
Trendkill

This box has almost a hundred ACLs. I will try

Reply to
Pedro89

Look for ACLs that match the IP address (172.16 or 172.16.5 or

172.16.5.133/201) or ones that have the specific destination port mentioned (443).
Reply to
Trendkill

It should not be too difficult to clear the acl counters and then try the connection and examine those "deny" acl rules that have a nonzero counter.

Reply to
Rob

Pedro89 said the following on 07/22/2009 05:14 PM:

On a pix/asa you can use packet tracer either with CLI or ASDM It gives a result even if you don't have deny ip any any at the end of your access-list hope it helps

Reply to
Daniel-G

From

formatting link
========== Error Message %PIX|ASA-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance denies an attempt to connect to the interface service. For example, this message appears (with the service SNMP) when the security appliance receives an SNMP request from an unauthorized SNMP management station.

Recommended Action Use the show http, show ssh, or show telnet command to verify that the security appliance is configured to permit the service access from the host or network. If this message appears frequently, it can indicate an attack. ==========

Regards, Andrey.

Reply to
Andrey Tarasov

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.