Ok, so I changed the size of a network on one of my DMZ's. So I remove all the ACL entries and re-paste them with the new subnet mask. Now I can't get to my DNS server (which is in a different DMZ).
Ok, look through my ACLs, make sure the DNS lines are still there, pasted correctly etc. Everything looks ok, so I run packet tracer and it ends with: blocked by access-list .... implicit deny.
Now, my only grudge about packet tracer is that it doesn't list WHICH ACL blocked it, but I'm pretty sure it should only be hitting the one. I try adding a ip any any on the end of the ACL... Still blocked. I try adding an permit ip any DNSIP to line 1 of the acl... Still blocked. Starting to want to pull my hair out, I know it should be hitting this ACL and I have to correct entries!
(Now this dmz is also my wireless network, so I'm doing some troubleshooting on the WLCs and laptops etc. to be sure but I can't imagine it is anything other than that ACL I just changed on the firewall. It had worked after changing the subnet mask on both the interface and nat pool...
So finally, I just sit back and decide to stop doing pipes and look at the entire show run. I crawl through my entire ASA config line by line until at the bottom I notice, the ACL for that dmz isn't applied.... Apparently when you remove all lines of the ACL it removes it from the interface (and fails closed to an implicit deny). So I re-add the ACL to the Interface and Magically everything is working again!
So - when you remove all lines of an ACL - the ASA also removes the
access-group dmzACL in interface DMZ
command from your running config as well.
Lesson learned!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment