topic Re: Drop-reason: (acl-drop) Flow is denied by configured rule in Network Security

Drop-reason: (acl-drop) Flow is denied by configured rule

CY Ko — Fri, 21 Feb 2020 16:30:28 GMT

Actually, I want to allow FTP from outside to inside, but the packet tracer display "Drop-reason: (acl-drop) Flow is denied by configured rule". I must be wrong something. I have attached my config. Any assistance would be greatly appreciated.

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

Sheraz.Salim — Tue, 27 Nov 2018 12:57:49 GMT

try this

object network ANY
subnet 0.0.0.0 0.0.0.0
nat (outside,inside) source dynamic ANY interface destination static FTP_Inside FTP_Inside service FTP FTP

--- --------

"Where ANY is outside world could be any public ip address and interface mean your ASA outside interface"

also

remove this

no same-security-traffic permit inter-interface
no same-security-traffic permit intra-interface

make sure you do this in change window.

Regards.

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

Sheraz.Salim — Tue, 27 Nov 2018 13:34:34 GMT

I had a look on your config here are my thoughts

ASA Version 9.1(2)
!
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
//////////////////////NO NEED TO THESE COMMAND////////
no same-security-traffic permit inter-interface
no same-security-traffic permit intra-interface
/////////////////////////////////////////////////////////
!
object network INSIDE_SUBNET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source dynamic any interface
!
object service FTP
service tcp destination eq ftp
!
object network FTP_Inside (TRY THIS- DO packet tracer input outside tcp 8.8.8.8 12345 192.168.1.24 ftp detail)
host 192.168.1.24
nat (inside,outside) static interface service tcp ftp ftp /////THIS RULE WILL CONNTED THE OUTSIDE CLIENT to ASA OUTSIDE INTERFACE IP, THAN ASA WILL MAPPED THE OUTSIDE IP TO FTP_Inside//////
!
object network FTP_Outside
host x.x.x.x (Public IP??)
!
object service Passive_FTP
service tcp destination range 30000 35000
!
object service passive_FTP
service tcp destination range 30000 35000
!
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
!
////
access-list Outside_access_in extended permit tcp any host 192.168.1.24
////
no access-list Outside_access_in extended permit tcp object FTP_Outside object FTP_Inside eq ftp
no access-list Outside_access_in extended permit tcp object FTP_Outside object FTP_Inside eq ftp-data
no access-list Outside_access_in extended permit tcp any object FTP_Outside eq ftp
///////////////////////////////////////////////

/////You dont need this as traffic from inside to outside (higher to lower) does not need access-rule////
no access-list inside_access_in extended permit ip any any
///////////////////////////////////////////////////////////
access-list global_access extended permit tcp any any

//////////////////////////////////DONT NEED THIS//////////////////////
nat (outside,outside) source dynamic any interface destination static FTP_Inside FTP_Inside service FTP FTP
/////////////////////////////////////////////////////////////////////////////////////////////////////////////

access-group Outside_access_in in interface outside

/////////////////////////////////NO NEED THIS////////////////////
access-group inside_access_in in interface inside
/////////////////////////////////////////////////////////////////////////

access-group global_access global
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

mkazam001 — Tue, 27 Nov 2018 14:51:40 GMT

you need these cmds to allow the asa to keep the connections in the state table:

policy-map global_policy

class inspection_default

inspect ftp

ensure you have both of these in the object group:

object-group service obj-ftp tcp

port-object eq ftp

port-object eq ftp-data

access-list outside-in extended permit tcp any host ftp-svr-ip object-group obj-ftp - enter actual svr ip

try packet-tracer input outside tcp source-ip 12345 ftp-svr-ip 21 det - to get info on where the problem may lie - enter actual ftp server ip

regards, mk

please rate if helpful or solved 🙂

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

Sheraz.Salim — Tue, 27 Nov 2018 15:01:20 GMT

hi mkazam001 i thought the nat problem issue as if you see the nat statement its wrong?

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

mkazam001 — Tue, 27 Nov 2018 15:09:11 GMT

i didn't mention that as you already had - nat (outside,outside) is incorrect

regards, mk

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

CY Ko — Wed, 28 Nov 2018 02:08:30 GMT

Dear sherazrose,

1. object network FTP_Inside (TRY THIS- DO packet tracer input outside tcp 8.8.8.8 12345 192.168.1.24 ftp detail)
host 192.168.1.24
Ans: It still the same problem.

2. host x.x.x.x (Public IP??)
Ans:Yes

What should I next step? Thanks.

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

venkat_n7 — Wed, 28 Nov 2018 04:13:05 GMT

looks like, it should be nat issue. and also use "object-group's" instead of "object network's" to be more clear with config.

creat an object grroup for ftp ports and add them in it and then use in acl to allow.

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

CY Ko — Wed, 28 Nov 2018 06:08:32 GMT

Dear mkazam001,

After that, it still the same problem. Do you have any idea what's problem is it?

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

Sheraz.Salim — Wed, 28 Nov 2018 15:31:04 GMT

yes fix you nat statement.

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

hanumat-lodha — Mon, 10 Feb 2025 08:38:01 GMT

access-list acl-outside extended permit tcp 103.214.158.32 255.255.255.252 host 10.156.2.142 eq https
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network NAT-10.156.2.142_138.107.12.93
nat (DMZ-1,OUTSIDE) static 138.107.12.93
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ-1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule