topic Re: UDP 3343 not allowed across interfaces on ASA in Network Security

UDP 3343 not allowed across interfaces on ASA

Jesserony — Mon, 12 Dec 2022 18:17:02 GMT

Hello Everyone,

We are trying to get a SQL cluster node to communicate on UDP 3343 from a host attached to our "DMZ" interface, to a host on our Inside interface. Packet tracer is saying the packet is dropped due to an ACL, but ive cleaned up our ACLs to allow IP any any. Could someone take a look? PT results and ASA config below.

Thanks,

Jesse

Result of the command: "packet-tracer input inside udp 172.30.43.223 3344 192.168.10.225 3344"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.254.57 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

: Saved
:
: Serial Number: JAD23240PX7
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname Dover-ASA
domain-name companyglobal.com
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet1/1
description Windstream
nameif mpls
security-level 90
ip address 192.168.252.14 255.255.255.252
!
interface GigabitEthernet1/2
description Windstream_internet
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet1/3
description LINK SW01:G1/0/20
nameif inside
security-level 100
ip address 192.168.254.58 255.255.255.248
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
nameif company_Verizon
security-level 2
ip address x.x.x.75 255.255.255.0
!
interface GigabitEthernet1/8
description Interface for the Dover DMZ
nameif DMZ
security-level 100
ip address 172.30.43.21 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name companyglobal.com
same-security-traffic permit inter-interface
object network CGI-DMZ
subnet 172.20.43.0 255.255.255.0
object network CGI-Network
subnet 192.168.0.0 255.255.0.0
object network Office-Dover
subnet 192.168.8.0 255.255.252.0
description as supernet
object network DCIS
host 167.21.84.227
object network Internal_RFC1918-10
subnet 10.0.0.0 255.0.0.0
object network Internal_RFC1918-172.16
subnet 172.16.0.0 255.24.0.0
object network Internal_RFC1918-192.168
subnet 192.168.0.0 255.255.0.0
object network Server_RDGWA-Dov
host 192.168.10.208
object network Server_RDGWA-Dov-Outside
host 173.221.200.203
object network DCIS-Test
host 167.21.128.83
object network UTIL-SAC
host 192.168.50.239
description Test File Transfer bypassing SFR
object network FILE01-DOV
host 192.168.10.240
description Test File Transfer bypassing SFR
object network HV01-DOV
host 192.168.10.91
object network HV01-NYC
host 192.168.4.213
object network GP2016-DOV
host 192.168.10.46
object network SQL-GP
host 192.168.4.68
object network GP2016TS-NYC
host 192.168.4.67
object network GPTS-NYC
host 192.168.4.206
object network GP-NYC
host 192.168.4.205
object network NAS06-COLO-NIC1
host 192.168.170.159
description NIC1
object network NAS06-COLO-NIC2
host 192.168.170.160
description NIC2
object network NAS02-DOV
host 192.168.10.201
object network Server_Dover-DMZ-Test
host 172.30.43.210
description DMZ Test RRAS
object network DMZ-Network
subnet 172.30.43.0 255.255.255.0
object service 445
service tcp source eq 445 destination eq 445
object network NETWORK_OBJ_192.168.190.0_24
subnet 192.168.190.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Dover_Data_Subnet
subnet 192.168.10.0 255.255.255.0
object network New_CoLo_Subnet
subnet 192.168.190.0 255.255.255.0
object network Colo_Subnet
subnet 192.168.170.0 255.255.255.0
object network Dover_10_subnet
subnet 192.168.10.0 255.255.255.0
object network NYC_Subnet
subnet 192.168.4.0 255.255.255.0
object network Dover_Cluster_Subnet
subnet 10.0.12.0 255.255.255.0
object network CoLo_Cluster_Subnet
subnet 10.0.11.0 255.255.255.0
object network DMZ_TEST_CROSSCLUSTER_COM
host 172.30.43.220
object network DMZ_TEST_CROSSCLUSTER_COM2
host 172.30.43.223
object network DMZ_TEST_CROSSCLUSTER_COM3
host 172.30.43.224
object network DMZ_TEST_CROSSCLUSTER_COM4
host 172.30.43.228
object network TEST_HV_COM
host 192.168.10.225
object network TEST_HV_COM2
host 192.168.10.226
object network TEST_HV_COM3
host 192.168.10.227
object network TEST_HV_COM4
host 192.168.10.228
object-group network local-network
network-object object Office-Dover
network-object 192.168.254.56 255.255.255.248
object-group network remote-network
network-object object CGI-Network
network-object object CGI-DMZ
network-object object DCIS
object-group network Internal_RFC1918
network-object object Internal_RFC1918-10
network-object object Internal_RFC1918-172.16
network-object object Internal_RFC1918-192.168
object-group network NOG-RingCentral
description All RingCentral Networks a/o 20170919
network-object 103.44.68.0 255.255.252.0
network-object 66.81.240.0 255.255.240.0
network-object 80.81.128.0 255.255.240.0
network-object 104.245.56.0 255.255.248.0
network-object 185.23.248.0 255.255.252.0
network-object 192.209.24.0 255.255.248.0
network-object 199.255.120.0 255.255.252.0
network-object 199.68.212.0 255.255.252.0
network-object 208.87.40.0 255.255.252.0
object-group service SOG-RC-SIP
description RingCentral SIP service identifiers a/o 20170919
service-object tcp-udp source range sip 6000
service-object tcp-udp destination range sip 6000
object-group service SMTP-DNS
service-object tcp-udp destination eq domain
service-object tcp destination eq smtp
object-group service RDC
service-object tcp destination eq https
service-object udp destination eq 3391
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq https
service-object udp destination eq 3391
object-group network DCIS-Hosts
network-object object DCIS
network-object object DCIS-Test
object-group icmp-type ICMP-allowed
icmp-object echo
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
object-group service http-all tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RRAS_Services tcp
description The following ports need to be open from 172 network to 192 network
port-object eq 135
port-object eq 15000
port-object eq 3268
port-object eq 445
port-object eq 464
port-object range 49152 65535
port-object eq 88
port-object eq domain
port-object eq www
port-object eq https
port-object eq ldap
port-object eq ldaps
port-object eq netbios-ssn
port-object eq 3389
object-group service RRAS_Services_UDP udp
description The following ports need to be open from 172 network to 192 network
port-object eq 389
port-object eq 636
port-object eq domain
port-object eq netbios-dgm
port-object eq netbios-ns
port-object eq ntp
port-object eq 3389
object-group network VPN_Local
network-object 192.168.254.56 255.255.255.248
network-object object Dover_10_subnet
object-group network VPN_Remote
network-object object New_CoLo_Subnet
object-group network RFIC_minus_190
network-object object NYC_Subnet
object-group network DM_INLINE_NETWORK_1
network-object object CGI-Network
network-object object DMZ-Network
object-group network DM_INLINE_NETWORK_2
network-object 172.30.43.0 255.255.255.0
network-object object CGI-Network
object-group service DM_INLINE_TCP_1 tcp
port-object eq 10001
port-object eq 2500
object-group network DMZ_CROSS_CLUSTER_TEST_OBJECTS
network-object object DMZ_TEST_CROSSCLUSTER_COM
network-object object DMZ_TEST_CROSSCLUSTER_COM2
network-object object DMZ_TEST_CROSSCLUSTER_COM3
network-object object DMZ_TEST_CROSSCLUSTER_COM4
object-group network TEST_HV_COM_OBJECTS
network-object object TEST_HV_COM
network-object object TEST_HV_COM2
network-object object TEST_HV_COM3
network-object object TEST_HV_COM4
access-list outside_access_in extended deny udp any4 any4 eq netbios-ns
access-list outside_access_in extended deny udp any4 any4 eq netbios-dgm
access-list outside_access_in extended deny tcp any4 any4 eq netbios-ssn
access-list outside_access_in extended deny tcp any4 any4 eq 445
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Server_RDGWA-Dov
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list Comcast_Test_cryptomap extended permit ip object-group VPN_Local object-group VPN_Remote
access-list sfr_redirect extended deny ip object-group DMZ_CROSS_CLUSTER_TEST_OBJECTS object-group TEST_HV_COM_OBJECTS
access-list sfr_redirect extended deny ip object-group TEST_HV_COM_OBJECTS object-group DMZ_CROSS_CLUSTER_TEST_OBJECTS
access-list sfr_redirect extended deny ip object FILE01-DOV object GPTS-NYC
access-list sfr_redirect extended deny ip object FILE01-DOV object GP-NYC
access-list sfr_redirect extended deny ip object FILE01-DOV object UTIL-SAC
access-list sfr_redirect extended deny ip object UTIL-SAC object FILE01-DOV
access-list sfr_redirect extended deny ip object HV01-DOV object HV01-NYC
access-list sfr_redirect extended deny ip object HV01-NYC object HV01-DOV
access-list sfr_redirect extended deny ip object GP2016-DOV object SQL-GP
access-list sfr_redirect extended deny ip object SQL-GP object GP2016-DOV
access-list sfr_redirect extended deny ip object FILE01-DOV object GP2016TS-NYC
access-list sfr_redirect extended deny ip object GP2016TS-NYC object FILE01-DOV
access-list sfr_redirect extended deny ip object NAS06-COLO-NIC2 object NAS02-DOV
access-list sfr_redirect extended deny ip object NAS06-COLO-NIC1 object NAS02-DOV
access-list sfr_redirect extended deny ip object NAS02-DOV object NAS06-COLO-NIC1
access-list sfr_redirect extended deny ip object NAS02-DOV object NAS06-COLO-NIC2
access-list sfr_redirect extended permit ip any any
access-list netflow-export extended permit ip any any
access-list mpls_access_in extended permit ip any any
access-list ACL-RoutingProtocol extended permit udp any any eq rip
access-list ACL-RoutingProtocol extended permit udp any eq rip any
access-list ACL-RoutingProtocol extended permit eigrp any any
access-list ACL-RoutingProtocol extended permit ospf any any
access-list ACL-RoutingProtocol extended permit tcp any any eq bgp
access-list ACL-RoutingProtocol extended permit tcp any eq bgp any
access-list ACL-RTR-IB-RC-Voice-RTP extended permit udp object-group NOG-RingCentral range 9000 64999 any
access-list ACL-RTR-IB-RC-Video-RTP extended permit udp object-group NOG-RingCentral any range 8801 8802
access-list ACL-RTR-IB-RC-GeneralSIP extended permit object-group SOG-RC-SIP object-group NOG-RingCentral any
access-list ACL-RTR-IB-RC-Networks-All extended permit ip object-group NOG-RingCentral any
access-list ACL-RTR-IB-Cust-AF11 extended deny tcp any any
access-list ACL-RTR-IB-Cust-AF11 extended deny udp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in_1 extended permit ip any any
access-list DMZ_access_out extended permit ip any any
access-list Comcast_Test_access_in extended permit ip object New_CoLo_Subnet object Dover_Data_Subnet
access-list Comcast_Test_access_in extended permit ip any any inactive
access-list mpls_access_out extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm informational
logging facility 17
logging host mpls 192.168.170.250 17/49333
no logging message 106014
no logging message 106006
no logging message 106001
no logging message 313001
no logging message 710003
no logging message 106100
flow-export destination mpls 192.168.170.250 2055
mtu mpls 1500
mtu outside 1500
mtu inside 1500
mtu company_Verizon 1500
mtu DMZ 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any mpls
icmp permit any echo-reply outside
icmp permit host 64.128.232.98 outside
icmp permit any outside
icmp permit any inside
icmp permit any company_Verizon
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static Server_RDGWA-Dov Server_RDGWA-Dov-Outside
nat (DMZ,any) source static CGI-Network CGI-Network destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,any) source static CGI-Network CGI-Network destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (DMZ,any) source static CGI-DMZ CGI-DMZ destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,any) source static CGI-DMZ CGI-DMZ destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,mpls) source static Dover_Cluster_Subnet Dover_Cluster_Subnet destination static CoLo_Cluster_Subnet CoLo_Cluster_Subnet no-proxy-arp
!
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static DCIS-Hosts DCIS-Hosts no-proxy-arp
nat (any,outside) after-auto source dynamic any interface
access-group mpls_access_in in interface mpls
access-group mpls_access_out out interface mpls
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_in out interface inside
access-group Comcast_Test_access_in in interface company_Verizon
access-group DMZ_access_in_1 in interface DMZ
access-group DMZ_access_out out interface DMZ
router bgp 65101
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 192.168.252.13 remote-as 65201
neighbor 192.168.252.13 activate
network 192.168.8.0 mask 255.255.252.0
network 10.0.12.0 mask 255.255.255.0
network 172.30.43.0 mask 255.255.255.0
network 192.168.254.56 mask 255.255.255.248
no auto-summary
no synchronization
exit-address-family
!
route outside 0.0.0.0 0.0.0.0 173.221.200.201 1
route inside 10.0.12.0 255.255.255.0 192.168.254.57 1
route company_Verizon x.x.x.12 255.255.255.255 x.x.x.1 1
route inside 192.168.8.0 255.255.252.0 192.168.254.57 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication login-history
http server enable
http 192.168.170.250 255.255.255.255 mpls
http 64.128.232.98 255.255.255.255 outside
http 192.168.0.0 255.255.0.0 mpls
http 192.168.0.0 255.255.0.0 inside
snmp-server group No_Authentication_No_Encryption v3 noauth
snmp-server user SolarWrite No_Authentication_No_Encryption v3 engineID 80000009fed04a183bad2cc4f630321408c05e0c384b96d858
snmp-server host mpls 192.168.170.250 poll community ***** version 2c
snmp-server location Dover Server Room
snmp-server contact is@companyglobal.com
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map Comcast_Test_map0 1 match address Comcast_Test_cryptomap
crypto map Comcast_Test_map0 1 set peer x.x.x.12
crypto map Comcast_Test_map0 1 set ikev1 transform-set ESP-3DES-MD5
crypto map Comcast_Test_map0 interface company_Verizon
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=198.18.215.2,CN=Dover-ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=x.x.x.x,CN=Dover-ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 82748f5d
308202d2 308201ba a0030201 02020482 748f5d30 0d06092a 864886f7 0d01010b
0500302b 31123010 06035504 03130944 6f766572 2d415341 31153013 06035504
03130c31 39382e31 382e3231 352e3230 1e170d32 30303531 31313535 3134365a
170d3330 30353039 31353531 34365a30 2b311230 10060355 04031309 446f7665
722d4153 41311530 13060355 0403130c 3139382e 31382e32 31352e32 30820122
300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 0087a508
01f6fe80 0ed6fb07 006fbaa5 46921767 7d976153 a421c8f1 93a08f1b f920f556
dcf1eb21 68e39031 7fcd2fab 610089fc 3c4caf81 5593e334 42567c3e 07bf442f
053a1e89 bd45eaa1 c5fcf1c1 6834e22a 1773e5cb b6c757d5 c42e2d90 6f4cbfbf
86302351 eabc6887 6005a6b2 dab9114a ba85ef26 ef8b9653 1c4f100f 7f536af2
b48a2476 582d7223 68bf718b d68244a4 e2f8a306 a8683a94 a5dedb53 fb114c6d
603c6c84 c402a701 42323f09 c468f535 378e149b 4a793f8f 8106e1b8 eb9117f8
8c0d8919 98af9c6c 442653dc 0191de8d ac3b9da2 2dbde446 e2536a01 da14c56e
5fed6710 881f2a39 9e0da70a ba6dd7e6 1ded30bb 5d3c2477 3d98df48 c1020301
0001300d 06092a86 4886f70d 01010b05 00038201 01002c5b 4c523837 3bdcb675
f6f3336c a2829aa8 7f04f0b2 ec4f40a6 4700906e 2d918563 fd04da2e f5d464f6
95d6d23e 7f1caa01 97099222 cc56817a ab41637d badabca9 af29f9eb 109d7826
e5745b64 98c5bc7d dbc23337 deeca3bc 5c6c7fa6 6abec024 88000830 8337fc3f
ee1af1c3 dfd54779 63c47455 267956c9 bc956ec6 53433d43 6c035a89 bbd776e9
24630cc4 cf5aefb9 08078e27 78a5c25a 999cd4c8 fd143dbc 4b32db55 68a67c05
87c4109c 26a64dc0 6b11d0ef 61e60e7a 6dbe9488 b4c540ed 774491e3 199dfc17
63a467ac 28ab8c90 bc317049 0d487a9e b691c47c 857bd2cd d375a744 cd517422
9e8cbbb6 c6f7e1e6 2d2b29ca 4ae4780d 0c7de47b 6725
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate 83748f5d
308202d8 308201c0 a0030201 02020483 748f5d30 0d06092a 864886f7 0d01010b
0500302e 31123010 06035504 03130944 6f766572 2d415341 31183016 06035504
03130f31 37332e32 32312e32 30302e32 3032301e 170d3230 30373031 31353235
34315a17 0d333030 36323931 35323534 315a302e 31123010 06035504 03130944
6f766572 2d415341 31183016 06035504 03130f31 37332e32 32312e32 30302e32
30323082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282
01010087 a50801f6 fe800ed6 fb07006f baa54692 17677d97 6153a421 c8f193a0
8f1bf920 f556dcf1 eb2168e3 90317fcd 2fab6100 89fc3c4c af815593 e3344256
7c3e07bf 442f053a 1e89bd45 eaa1c5fc f1c16834 e22a1773 e5cbb6c7 57d5c42e
2d906f4c bfbf8630 2351eabc 68876005 a6b2dab9 114aba85 ef26ef8b 96531c4f
100f7f53 6af2b48a 2476582d 722368bf 718bd682 44a4e2f8 a306a868 3a94a5de
db53fb11 4c6d603c 6c84c402 a7014232 3f09c468 f535378e 149b4a79 3f8f8106
e1b8eb91 17f88c0d 891998af 9c6c4426 53dc0191 de8dac3b 9da22dbd e446e253
6a01da14 c56e5fed 6710881f 2a399e0d a70aba6d d7e61ded 30bb5d3c 24773d98
df48c102 03010001 300d0609 2a864886 f70d0101 0b050003 82010100 12ef9077
389b0af6 e7346e39 6617661a cfc5b0e4 1a45f9c5 43fda22c ba22ae52 a877f54e
2b8efafe e83df473 5253536c 0e65a780 883122e0 aa1fb57b 970b931d 97b60f81
7ae00ea4 3e09c3a0 5f18d2df 9f3da40b c5bd28ce d1edc94e d404d733 dacf225a
1166ba21 f214fd76 d84af808 981829c9 cb9f9904 4adca7c5 8150b1c1 84fa298b
98e54721 da672cc6 86a4ae8a 6021f5bb b0fd62ec 41f5091a 2d5c7465 e91a10db
87567b36 4daf85b8 61e4580e 1c925ce0 757fdfee 944a908a 232d75ce eef34a17
15578844 7c0136d8 a8c60abf e81894a8 a1db63fe cbbd752d 5f91df6c b1325774
93c07257 0bf07e06 c11ad7f6 c2b1a372 3b928975 b0262ff0 feedded9
quit
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.170.250 255.255.255.255 mpls
ssh 192.168.0.0 255.255.0.0 mpls
ssh 64.128.232.98 255.255.255.255 outside
ssh 100.4.218.110 255.255.255.255 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.10.243 source inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 mpls
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 mpls vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 outside vpnlb-ip
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
dynamic-access-policy-record DfltAccessPolicy
username administrator password $sha512$5000$61ool92zVpkCnEMEZIfSZg==$d1Udyn8ZbNFASJ3cSnbQig== pbkdf2 privilege 15
username orionadmin password tT8uUhU82k.Z.s/N encrypted privilege 15
tunnel-group x.x.x.12 type ipsec-l2l
tunnel-group x.x.x.12 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map CM-RTR-IB-RC-Other
description AllRingCentral Originated Traffic
match access-list ACL-RTR-IB-RC-Networks-All
class-map netflow-export-class
match access-list netflow-export
class-map global-class
match any
class-map CM-RTR-IB-RC-SIP
description RingCentral SIP Traffic
match access-list ACL-RTR-IB-RC-GeneralSIP
class-map CM-RTR-IB-Cust-AF12
description Customer AF13 class traffic
class-map sfr
match access-list sfr_redirect
class-map CM-RTR-IB-Cust-AF11
description Customer AF11 class traffic
class-map inspection_default
match default-inspection-traffic
class-map CM-RTR-IB-RC-Video-RT
description RingCentral Originated Traffic Video RTP
match access-list ACL-RTR-IB-RC-Video-RTP
class-map CM-RTR-IB-RC-Voice-RT
match access-list ACL-RTR-IB-RC-Voice-RTP
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class sfr
sfr fail-open
class netflow-export-class
flow-export event-type all destination 192.168.170.250
policy-map PM-RTR-IB-Standard-QoS
class CM-RTR-IB-RC-Voice-RT
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8ecc67c9358ebabd3496666c2e151e5a
: end

Re: UDP 3343 not allowed across interfaces on ASA

Rob Ingram — Mon, 12 Dec 2022 18:36:03 GMT

@Jesserony the network 172.30.43.x is your DMZ network, but your packet-tracer input interface you defined as "inside" - re-run packet-tracer with the correct input interface and paste the full output.

Re: UDP 3343 not allowed across interfaces on ASA

Jesserony — Mon, 12 Dec 2022 19:14:45 GMT

My mistake, thank you - this brings me back to the original question i had.

Look at the two packet traces below - one going from UDP 3343 to 3343. The PT output says its allowed, but doesnt show what the output interface will be. Now if i do 3343 to 3344, it does show the output interface.. Is that meaningful to you Rob?

Result of the command: "packet-tracer input DMZ udp 172.30.43.223 3343 192.168.10.225 3343"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 40519440, using existing flow

Result:
input-interface: DMZ
input-status: up
input-line-status: up
Action: allow

-----------------------

Result of the command: "packet-tracer input DMZ udp 172.30.43.223 3343 192.168.10.225 3344"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.254.57 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in_1 in interface DMZ
access-list DMZ_access_in_1 extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,any) source static CGI-Network CGI-Network destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
Additional Information:
Static translate 172.30.43.223/3343 to 172.30.43.223/3343

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in out interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,any) source static CGI-Network CGI-Network destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 42760708, packet dispatched to next module

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Re: UDP 3343 not allowed across interfaces on ASA

Rob Ingram — Mon, 12 Dec 2022 19:30:43 GMT

@Jesserony this is probably a clue.

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 40519440, using existing flow

Do you have an existing connection?

Is real traffic working or not?

Re: UDP 3343 not allowed across interfaces on ASA

MHM Cisco World — Mon, 12 Dec 2022 19:31:23 GMT

DMZ and Inside same security level so you need below command
same-secuirty-traffic permit inter-interface

Re: UDP 3343 not allowed across interfaces on ASA

Rob Ingram — Mon, 12 Dec 2022 19:35:44 GMT

@MHM Cisco World

@MHM Cisco World wrote:

DMZ and Inside same security level so you need below command
same-secuirty-traffic permit inter-interface

looks like it's already configured 😉😉

Re: UDP 3343 not allowed across interfaces on ASA

MHM Cisco World — Mon, 12 Dec 2022 19:51:56 GMT

show arp in FW do you see the MAC address of next-hop 192.168.254.57

Re: UDP 3343 not allowed across interfaces on ASA

Jesserony — Mon, 12 Dec 2022 21:06:13 GMT

Yes, the connection works, ping and SMB are currently working between those subnets, it just doesnt seem to be liking UDP 3343 for some reason.

Re: UDP 3343 not allowed across interfaces on ASA

Jesserony — Mon, 12 Dec 2022 21:06:39 GMT

Yup, i can see 192.168.254.57 in arp.

Re: UDP 3343 not allowed across interfaces on ASA

Rob Ingram — Mon, 12 Dec 2022 21:19:20 GMT

@Jesserony check local firewall on the server itself to ensure that port is allowed from the source.

Take a packet capture

Re: UDP 3343 not allowed across interfaces on ASA

Jesserony — Mon, 12 Dec 2022 21:33:30 GMT

Ok ill give that a try. Related question: When i run a packet trace does it somehow know there is an issue somewhere outside of the ASA? I was under the impression packet trace was completely simulated.

Re: UDP 3343 not allowed across interfaces on ASA

MHM Cisco World — Mon, 12 Dec 2022 22:45:21 GMT

the server is in DMZ and it use 3343 ? or server in IN and use 3343 ?

Re: UDP 3343 not allowed across interfaces on ASA

MHM Cisco World — Tue, 13 Dec 2022 10:33:22 GMT

in this case there is many point the packet can drop on it,
but we want to mini our search,
you can use capture in ASA to find if the packet is receive and send to server through ASA FW.

I run lab show you how you can use capture in ASA FW
I have two interface IN and DMZ.

please note that you must use NO capture ......... after finish because this capture take large CPU/memory resource.

Re: UDP 3343 not allowed across interfaces on ASA

Jesserony — Tue, 13 Dec 2022 19:20:00 GMT

Thank you so much for the help! I will give it a try.