topic Re: ASA ACL Blocking in Network Security

ASA ACL Blocking

EngineeringAir — Tue, 28 Sep 2021 13:56:19 GMT

Hi Cisco Community,

I am hoping someone can help me out. Myself and another Engineer have run multiple tests on the ASA and have come up empty.

We have an ACL that allows traffic between two servers on two different networks. When we attempt to pass traffic between the two the ASA shows deny by access group "Access Group X" in the live log file.

The Packet tracer done on the ASA CLI shows allow. Either this is a bug or an issue with the configuration, I cant seem to spot it.

When we look at the ACL rules it does not show any blocks between the two but allowed.

Thanks,

Re: ASA ACL Blocking

Chakshu Piplani — Tue, 28 Sep 2021 19:09:22 GMT

Probably you are running packet tracer incorrectly as you do see it getting blocked in the syslogs.

We can help but I will need more details in terms of IPs and interfaces, or the packet tracer output, you can chose to put fake IPs as long as you can correlate them back and forth while we try to figure this out.

Regards,

Chakshu

Do rate helpful posts !

Re: ASA ACL Blocking

Marius Gunnerud — Tue, 28 Sep 2021 19:40:30 GMT

Is it that traffic is passing successfully but you are seeing drop logs or is the traffic actually being dropped / not allowed? Could you post the actual log you are seeing (screenshot). Post the full output of your packet-tracer including the command you are running.

Also, a full running configuration (change any public IPs and remove usernames and passwords.

Re: ASA ACL Blocking

EngineeringAir — Thu, 30 Sep 2021 12:26:57 GMT

Hi Shakshu,

Please forgive me if I miss anything. Thank you for your help. Please see below a description of the interfaces and the Packet tracer I am running. If you have any suggestions to try, please let me know.

Interface Inside 10.10.10.1

Interface Server_DMZ 84.1.1.1

ACL
- Inside Interafce
- Allow Source 10.10.10.1 Destination 84.1.1.1
- Allow Source 84.1.1.1 Destination 10.10.10.1

ACL
Server_DMZ
- Allow Source 10.10.10.1 Destination 84.1.1.1
- Allow Source 84.1.1.1 Destination 10.10.10.1

NAT Rules
Inside Interface
- Original Packet Source 84.1.1.1 Destination 10.10.10.1 Translated Packet Source 10.20.20.1 Destination Original

Server_DMZ Interface
- Original Packet Source 10.10.10.1 Destination 10.20.20.1 Translated Packet Source Original Destination 84.1.1.1

pri/act/Firewall01# packet-tracer input Server_DMZ icmp 10.10.10.1 8 0 84.1.1.1 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff67a220ab0, priority=1, domain=permit, deny=false
hits=3179191418, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Server_DMZ, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Server_DMZ,Inside) source static SWPE.10.10.10.1 SWPE.10.10.10.1 destination static Netmon.84.1.1.1 Netmon.84.1.1.1 no-proxy-arp
Additional Information:
NAT divert to egress interface Inside
Untranslate 84.1.1.1/0 to 84.1.1.1/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Server_DMZ_access_in in interface Server_DMZ
access-list Server_DMZ_access_in extended permit object-group ICMP_ALL any any
object-group service ICMP_ALL
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp traceroute
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff6843ead10, priority=13, domain=permit, deny=false
hits=3480, user_data=0x7ff683f62cc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Server_DMZ,Inside) source static SWPE.10.10.10.1 SWPE.10.10.10.1 destination static Netmon.84.1.1.1 Netmon.84.1.1.1 no-proxy-arp
Additional Information:
Static translate 10.10.10.1/0 to 10.10.10.1/0
Forward Flow based lookup yields rule:
in id=0x7ff692a096d0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7ff690e626d0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=Inside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=157548756, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff67a269f00, priority=0, domain=inspect-ip-options, deny=true
hits=21032813, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff679feb740, priority=70, domain=inspect-icmp, deny=false
hits=27418, user_data=0x7ff6811a10b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff67a269320, priority=66, domain=inspect-icmp-error, deny=false
hits=27503, user_data=0x7ff677e15ee0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 netmon.nat.10.20.20.1 destination static SWPE.10.10.10.1 SWPE.10.10.10.1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff68dd52a90, priority=6, domain=nat-reverse, deny=false
hits=160, user_data=0x7ff690ef3e90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=Inside

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff679ff3090, priority=0, domain=user-statistics, deny=false
hits=137093061, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Inside

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=157548758, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff677fba9f0, priority=0, domain=inspect-ip-options, deny=true
hits=141092909, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7ff679ffd530, priority=0, domain=user-statistics, deny=false
hits=20904776, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Server_DMZ

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 146242950, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 84.1.1.1using egress ifc Inside

Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 000c.29a9.a8e7 hits 12 reference 56

Result:
input-interface: Server_DMZ
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

Re: ASA ACL Blocking

EngineeringAir — Thu, 30 Sep 2021 12:25:03 GMT

Hi Marius,

I replied with the output of the packet tracer. I will upload the full running configuration once I sanitize it.

Thank you,

Re: ASA ACL Blocking

Chakshu Piplani — Thu, 30 Sep 2021 13:01:25 GMT

"packet-tracer input Server_DMZ icmp 10.10.10.1 8 0 84.1.1.1 detailed"

Shouldn't you be running "packet-tracer input Inside icmp 10.10.10.1 8 0 84.1.1.1 detailed" instead?

You need to have the source interface mentioned while running the packet tracer.

Syntax:

packet-tracer input $source-interface $traffic-type $src_address $src_proto $src_proto_options $dest_address

Regards,

Chakshu

Do rate helpful posts!

Re: ASA ACL Blocking

EngineeringAir — Thu, 30 Sep 2021 13:12:20 GMT

Hi Chakshu,

Here is the updated packet tracer.

pri/act/Firewall01# packet-tracer input Inside icmp 84.1.1.1 8 0 10.10.10.1detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 netmon.nat.10.215.24.253 destination static SWPE.10.10.10.1 SWPE.10.10.10.1
Additional Information:
NAT divert to egress interface Server_DMZ
Untranslate 10.10.10.1/0 to 10.10.10.1/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in remark Solarwinds access to City Solarwinds
access-list Inside_access_in extended permit ip object Netmon.84.1.1.1 object-group DM_INLINE_NETWORK_17
object-group network DM_INLINE_NETWORK_17
network-object object SWPE.10.10.10.1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff67b921300, priority=13, domain=permit, deny=false
hits=13725, user_data=0x7ff66976be40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 netmon.nat.10.20.20.1 destination static SWPE.10.10.10.1 SWPE.10.10.10.1
Additional Information:
Static translate 84.1.1.1/0 to 10.215.24.253/0
Forward Flow based lookup yields rule:
in id=0x7ff68fd15660, priority=6, domain=nat, deny=false
hits=4143, user_data=0x7ff690ef3e90, cs_id=0x0, flags=0x0, protocol=0
src ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=Server_DMZ

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=163031172, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff677fba9f0, priority=0, domain=inspect-ip-options, deny=true
hits=144998048, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff679fb6690, priority=70, domain=inspect-icmp, deny=false
hits=44285613, user_data=0x7ff6811a10b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff677fb9f30, priority=66, domain=inspect-icmp-error, deny=false
hits=47845073, user_data=0x7ff677a24f00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff684495020, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=127565923, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 netmon.nat.10.20.20.1 destination static SWPE.10.10.10.1 SWPE.10.10.10.1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff69353b260, priority=6, domain=nat-reverse, deny=false
hits=4144, user_data=0x7ff68ca6fce0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=Server_DMZ

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff679ffd530, priority=0, domain=user-statistics, deny=false
hits=21586066, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Server_DMZ

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=163031174, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff67a269f00, priority=0, domain=inspect-ip-options, deny=true
hits=21716516, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7ff679ff3090, priority=0, domain=user-statistics, deny=false
hits=140998137, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Inside

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 150244888, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.215.24.3 using egress ifc Server_DMZ

Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address b40c.25ef.0014 hits 1004 reference 54

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Server_DMZ
output-status: up
output-line-status: up
Action: allow

pri/act/Firewall01#

Re: ASA ACL Blocking

Chakshu Piplani — Thu, 30 Sep 2021 13:33:09 GMT

You have ran:

packet-tracer input Inside icmp 84.1.1.1 8 0 10.10.10.1 detailed

I want the output of

packet-tracer input Inside icmp 10.10.10.1 8 0 84.1.1.1 detailed

Re: ASA ACL Blocking

EngineeringAir — Thu, 30 Sep 2021 13:47:19 GMT

Hi Chakshu,

Here is the updated packet-tracer.

Firewall01# packet-tracer input Inside icmp 10.10.10.1 8 0 84.1.1.1 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 84.1.1.1 using egress ifc Inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip object SWPE.10.10.10.1 object Netmon.84.1.1.1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff6855b40f0, priority=13, domain=permit, deny=false
hits=0, user_data=0x7ff68502f580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=163123750, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff677fba9f0, priority=0, domain=inspect-ip-options, deny=true
hits=145069087, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff679fb6690, priority=70, domain=inspect-icmp, deny=false
hits=44310731, user_data=0x7ff6811a10b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff677fb9f30, priority=66, domain=inspect-icmp-error, deny=false
hits=47870595, user_data=0x7ff677a24f00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff684495020, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=127633002, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff679ff3090, priority=0, domain=user-statistics, deny=false
hits=141070737, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Inside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=163123752, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff677fba9f0, priority=0, domain=inspect-ip-options, deny=true
hits=145069089, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7ff679ff3090, priority=0, domain=user-statistics, deny=false
hits=141070738, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0,protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Inside

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 150319849, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 84.1.1.1 using egress ifc Inside

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 000c.29a9.a8e7 hits 102 reference 24

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

Re: ASA ACL Blocking

EngineeringAir — Thu, 30 Sep 2021 13:51:29 GMT

Hi Marius,

Here is the Output of Run, I have removed any unnecessary configuration.

Interface Server_DMZ 10.10.10.1

Interface Inside 84.1.1.1

!
interface GigabitEthernet0/1
description Inside
nameif Inside
security-level 100
ip address 84.1.1.212 255.0.0.0 standby 86.1.1.213
!
!
interface GigabitEthernet0/5
description Server_DMZ
nameif Server_DMZ
security-level 99
ip address 10.10.10.212 255.255.252.0 standby 10.10.10.213
!
!
object network Netmon.84.1.1.1
host 84.1.1.1
description Server
!
object network -SWPE.10.10.10.1
host 10.10.10.1
!
!
network-object object Netmon.84.1.1.1
!
network-object object Netmon.84.1.1.1
!
object-group network SERVERS
network-object object -SWPE.10.10.10.1
!
object-group network DM_INLINE_NETWORK_17
network-object object -SWPE.10.10.10.1
!
object-group network DM_INLINE_NETWORK_18
network-object object -SWPE.10.10.10.1
!
object-group network DM_INLINE_NETWORK_20
network-object object -SWPE.10.10.10.1
!
access-list Inside_access_in extended permit ip object Netmon.84.1.1.1 object-group DM_INLINE_NETWORK_17
!
access-list Inside_access_in extended permit ip object -SWPE.10.10.10.1 object Netmon.84.1.1.1
!
access-list Server_DMZ_access_in extended permit object 17777 object -SWPE.10.10.10.1 object-group DM_INLINE_NETWORK_1
!
access-list Server_DMZ_access_in extended permit object-group ICMP_ALL any any
access-list Server_DMZ_access_in extended permit object 17777 object Netmon.84.1.1.1 object -SWPE.10.10.10.1
!
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 Netmon.nat.10.20.20.1 destination static -SWPE.10.10.10.1 -SWPE.10.10.10.1
!
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 Netmon.nat.10.20.20.1 destination static DM_INLINE_NETWORK_18 DM_INLINE_NETWORK_18 no-proxy-arp inactive
!
nat (Server_DMZ,Inside) source static -SWPE.10.10.10.1 -SWPE.10.10.10.1 destination static Netmon.84.1.1.1 Netmon.84.1.1.1 no-proxy-arp
!
access-group Inside_access_in in interface Inside
!
access-group Server_DMZ_access_in in interface Server_DMZ
!
!
route Server_DMZ 10.10.10.1 255.255.255.255 10.215.24.1 1
!
http 84.1.1.1 255.255.255.255 Inside
!
!
telnet 84.1.1.1 255.255.255.255 Inside
!
ssh 84.1.1.1 255.255.255.255 Inside
!
!
: end

Thank you for your help,

Re: ASA ACL Blocking

Chakshu Piplani — Thu, 30 Sep 2021 18:00:00 GMT

Are

Interface Inside 10.10.10.1

Interface Server_DMZ 84.1.1.1

the interface IPs? Because you are actually supposed to put the src and dst IPs as packet tracer will then show "through" the box trace output.

One more thing I would check would be routing as packet ingressed from inside is going towards inside, which should not be the case as per your requirement.

Re: ASA ACL Blocking

EngineeringAir — Thu, 30 Sep 2021 19:31:00 GMT

Hi Chakshu,

Those are not the interfaces, they are just the two endpoints.

Is there a specific route you would like me to look at?

The Static Routes we have should route between the two networks.

Thanks,