Does packet input ever report the wrong thing?

evan.r.moore — Tue, 12 Mar 2019 04:12:21 GMT

Hello All.

Consider these bits of configuration from my ASA:

ASA Version 9.1(3)
!
hostname wnsk-asa

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

object network callhost-inside
host 10.3.2.25
object network callhost-outside
host 209.198.173.58

object-group network EQUINOX
network-object host 175.146.14.236
network-object 175.77.48.96 255.255.255.224
network-object 209.198.187.0 255.255.255.0

access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 3389
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 5900
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq ftp

access-list awcc_vpn extended permit ip host 10.3.2.25 host 172.31.250.150

nat (server-lan,itrunk) source static callhost-inside callhost-inside destination static awcc awcc no-proxy-arp route-lookup
!
object network wnsk
nat (server-lan,itrunk) dynamic WNSK-POOL
object network callhost-inside
nat (server-lan,itrunk) static callhost-outside
object network vpnpool
nat (itrunk,itrunk) dynamic WNSK-POOL
access-group inbound12 in interface itrunk

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

: end

When I check my setup with packet input, I get this:

wnsk-asa# packet input itrunk tcp 209.198.187.78 22222 10.3.2.25 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.3.2.0 255.255.255.0 server-lan

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound12 in interface itrunk
access-list inbound12 extended permit tcp object-group EQUINOX host 10.3.2.25 eq 3389
object-group network EQUINOX
network-object host 175.146.14.236
network-object 175.77.48.96 255.255.255.224
network-object 209.198.187.0 255.255.255.0
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network callhost-inside
nat (server-lan,itrunk) static callhost-outside
Additional Information:

Result:
input-interface: itrunk
input-status: up
input-line-status: up
output-interface: server-lan
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

When I actually get on the host at 209.198.187.78 and attempt to connect to port 3389 of 209.198.173.58, it works. Packet input says it will not work. What am I getting wrong, or is the ASA tricking me?

ERM

n your packet-tracer string

Marvin Rhoads — Fri, 16 May 2014 22:19:55 GMT

In your packet-tracer string you direct the ASA to tell you about reachability of "10.3.2.25 3389". In your text you mention being able to get to "port 3389 of 209.198.173.58".

Which of those two are you trying to figure out?

topic Does packet input ever report the wrong thing? in Network Security

Does packet input ever report the wrong thing?

n your packet-tracer string