Drop-reason: (acl-drop) ACL Problems

Mizanul Islam — Tue, 12 Mar 2019 03:44:51 GMT

Hi All,

Unable to Access Inside PC from outside network. Here is the error given below. I have configure access-list outside any any

also i have configured icmp any any but i couldn't communicate. I have check all access-list and access-group. everything ok.

%ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst 
interface_name: IP_address (type dec, code dec)

PID: ASA5515

Software Version 9.0(4)

-01# sho run

: Saved

ASA Version 9.0(4)

enable password fNfvz0nxWqnzuVsW encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0/0

description *** Connected to CORE-SW-01 ***

channel-group 11 mode active

no nameif

no security-level

no ip address

interface GigabitEthernet0/1

description *** Connected to CORE-SW-01 ***

channel-group 11 mode active

no nameif

no security-level

no ip address

interface GigabitEthernet0/2

no nameif

security-level 0

no ip address

interface GigabitEthernet0/2.32

vlan 32

nameif inside

security-level 100

ip address 10.98.32.3 255.255.255.0

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/4

description LAN/STATE Failover Interface

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

interface Management0/0

management-only

nameif managment

security-level 0

ip address 10.10.111.1 255.255.255.0

interface Port-channel11

description *** Connected to CORE-SW ***

nameif outside

security-level 100

ip address 10.98.8.90 255.255.255.248 standby 10.98.8.91

boot system disk0:/asa904-smp-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name midlandbankbd.net

object network IT-Network

subnet 10.108.1.0 255.255.255.0

access-list test extended permit icmp any 10.98.32.0 255.255.255.0

access-list IPS_ACL extended permit ip any4 any4

access-list test1 extended permit ip any any

pager lines 24

logging enable

logging buffered informational

logging trap informational

logging asdm informational

mtu inside 1500

mtu managment 1500

mtu outside 1500

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/4

failover polltime unit msec 200 holdtime msec 800

failover polltime interface msec 500 holdtime 5

failover key *****

failover replication http

failover link failover GigabitEthernet0/4

failover interface ip failover 10.98.60.1 255.255.255.252 standby 10.98.60.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group test1 in interface inside

access-group test in interface outside

route outside 10.108.1.0 255.255.255.0 10.98.8.89 1

route outside 10.108.200.247 255.255.255.255 10.98.8.89 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http server idle-timeout 5

http server session-timeout 5

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 managment

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 managment

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username mdbladmin password xmMhtANupK0CJ7AP encrypted privilege 15

class-map IPS_CL_MAP

match access-list IPS_ACL

class-map inspection_default

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map CMP_DMZ_MAIL_SMTP

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect http

inspect dns preset_dns_map dynamic-filter-snoop

inspect icmp

class IPS_CL_MAP

ips inline fail-close

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly 3

subscribe-to-alert-group configuration periodic monthly 3

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e540d639228d4fa4b3e9c2273432be88

: end

============================================

mdbl-Inside-fw-01# packet-tracer input outside icmp 10.108.1.100 0 8 10.98.32.$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2da43dd0, priority=13, domain=capture, deny=false
        hits=2937, user_data=0x7fff27903bc0, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2cd7c110, priority=1, domain=permit, deny=false
        hits=13979, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.98.32.0 255.255.255.0 inside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2cd7dfc0, priority=110, domain=permit, deny=true
        hits=969, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

mdbl-Inside-fw-01#

==========================================

Re: Drop-reason: (acl-drop) ACL Problems

Jouni Forss — Thu, 13 Feb 2014 07:39:21 GMT

Hi,

There is atleast a problem related to your interfaces "security-level" setting.

Although the ACLs override the "security-level" value generally there is certain situation which cause problems in passing traffic. In your case the problem comes from the fact that you have your internal and external interface at the same "security-level 100"

interface Port-channel11

description *** Connected to CORE-SW ***

nameif outside

security-level 100

ip address 10.98.8.90 255.255.255.248 standby 10.98.8.91

interface GigabitEthernet0/2.32

vlan 32

nameif inside

security-level 100

ip address 10.98.32.3 255.255.255.0

Your problem would probably be corrected by setting the external interface to the typical "security-level 0" value

interface Port-Channel11

security-level 0

Notice also that you have only allowed ICMP from behind the external interface so make necesary additions to the ACLs to allow required connections. Also make sure you have the correct routes for the different networks as you dont have any default route configured at the moment.

Hope this helps

Let me know how it goes.

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

topic Drop-reason: (acl-drop) ACL Problems in Network Security

Drop-reason: (acl-drop) ACL Problems

Re: Drop-reason: (acl-drop) ACL Problems