topic ASA 5505 Deny udp src outside to dst kulow by access-group outside_access_in in Network Security

ASA 5505 Deny udp src outside to dst kulow by access-group outside_access_in

blkulwicki07 — Tue, 12 Mar 2019 06:44:35 GMT

So i have been trying to set things up at home where I have my verizon router ----asa----cisco wireless router and all my host connecting to my csico wireless router.

I have been able to ping everything yet I am unable to ping from my 172.*.*.* to the ASA. I also notice I keep getting the following Deny even though I pretty much have the asa open.

Deny udp src outside:71.252.0.12/53 dst Kulow: 10.0.*.*/38269 by access group "outside_access_in"

Im stumped and would appreciate any help with figuring out why this is happening.

Thanks in advance

The deny msg is due the acl

Rishabh Seth — Tue, 13 Oct 2015 18:44:33 GMT

The deny msg is due the acl "outside_access_in".

In case you need to permit some traffic entering the interface on which you this acl applied then add those IPs in the acl.

Also I did not understand how you tried the ping test. Can elaborate on that and explain how the traffic flow is supposed to happen in your topolgy.

Thanks,

R.Seth

First of all thank you for

blkulwicki07 — Tue, 13 Oct 2015 19:22:20 GMT

First of all thank you for responding.

So I am trying to create a small network at home with an asa5505 which connects to my verizon router.

So it goes like this:

Verizon Router (192.168.1.0/24)-----(outbound)ASA(kulow 10.0.*.*/248)----Cisco Wireless Router (172.20.*.*)

When I do a ping from 172.20 ip to 192.168.1.5 I receive responds back yet when I ping 192.168.1.105(just example) I get no response and I start seeing the

Deny udp src outside:71.252.0.12/53 dst Kulow: 10.0.*.*/38269 by access group "outside_access_in"

as well as it saying

Deny udp src kulow:10.0.*.*/prot dst outside:173.255.246.13/port by access-group kulow-access-in

make any sense

Hello, Those logs are not

Julio Carvajal — Tue, 13 Oct 2015 21:54:48 GMT

Hello,

Those logs are not relative to each other.

You are talking about ICMP packets and the logs talk about DNS responses.

Is 192.168.1.105 a valid host? or no device owns that IP?

Note: as long as you are inspecting ICMP and .105 is not the ASA external interface IP you should be good.

Regards

Then why would i be getting

blkulwicki07 — Wed, 14 Oct 2015 00:17:56 GMT

Then why would i be getting those Deny's even though I pretty much have everything open to come inbound.

Yes 105 is a valid host its the asa. I am unable to ping the asa from the cisco wireless network. I even put that ip address within the management ssh or https/asdm and still unable to reach the asa.

I guess I am just trying to figure out what is going on with not being able to reach the asa from the wireless network and why i am seeing those Deny's

Again thank you for responding

Hi,The .105 IP resides on

Rishabh Seth — Wed, 14 Oct 2015 02:55:11 GMT

Hi,

The .105 IP resides on outside interface of ASA. On ASA you cannot ping farside interface.

So basically you can ping Kulow interface from wireless network and not the outside interface. This is how ASA is designed.

Regarding deny logs, I think you should verify your config for acls on outside interface.

Check output of show run access-group and verify the acl.

Thanks,

R.Seth

ahhhh ok that makes sense.

blkulwicki07 — Wed, 14 Oct 2015 13:44:50 GMT

ahhhh ok that makes sense. As far as my sho run access group here is what I have in my config.

Does this look accurate?

access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
access-group Kulow_access_in in interface Kulow

Thank you again

Hi, Show access-group shows

Rishabh Seth — Wed, 14 Oct 2015 13:49:31 GMT

Hi,

Show access-group shows you have acls applied on inside, outside and Kulow interfaces.

You can check each acl by checking show run access-list.

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

Ok so for example here are

blkulwicki07 — Wed, 14 Oct 2015 14:57:08 GMT

Ok so for example here are the acls for each the interfaces that are active

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 any4
access-list outside_access_in extended deny ip any any

access-list Kulow_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 any4
access-list Kulow_access_in extended deny ip any a

Does all look good?

So basically you have

Rishabh Seth — Wed, 14 Oct 2015 15:46:51 GMT

So basically you have permitted traffic for a specific group and denied all other traffic.

This looks good and you can fine tune these ACLs to permit/deny traffic as your network grows.

Hope it answers your query.

Thanks,

R.Seth

Thanks again for your

blkulwicki07 — Wed, 14 Oct 2015 17:46:28 GMT

Thanks again for your knowledge on this. I truly appreciate it!!