08-12-2010 08:31 AM - edited 03-11-2019 11:24 AM
I have three interfaces configured, outside, inside and dhcp. The IP for the inside is 10.10.220.101 and dhcp is 10.10.230.1, with same−security−traffic permit intra−interface configured but still not able to communicate between interfaces. The error I receive from packet-tracer is (acl-drop) flow is denied by configured rule.
Solved! Go to Solution.
08-12-2010 02:46 PM
I am heading out for the day but will run one tomorrow and post
Thank you,
08-13-2010 11:06 AM
edge(config)# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.105 $
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.200.0 255.255.255.0 LANDHCP
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3802b20, priority=500, domain=permit, deny=true
hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.10.220.101, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: LANDHCP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
edge(config)#
in id=0x3802b20, priority=500, domain=permit, deny=true
hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.10.220.101, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: LANDHCP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
edge(config)# packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.1 de$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.200.1 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3802b20, priority=500, domain=permit, deny=true
hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.10.220.101, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
edge(config)# packet-tracer input inside icmp 10.10.200.1 8 0 10.10.200.105 de$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.200.0 255.255.255.0 LANDHCP
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4273218, priority=2, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x37f35b0, priority=0, domain=permit-ip-option, deny=true
hits=37898762, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x37f5180, priority=66, domain=inspect-icmp-error, deny=false
hits=196678, user_data=0x37f50b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any LANDHCP any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x42cb620, priority=1, domain=nat, deny=false
hits=0, user_data=0x426a0e8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: LANDHCP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
08-13-2010 12:08 PM
Hello,
You are missing NAT statements between inside and LANDHP. Please configure
identity NAT between the interfaces:
static (inside,LANDHCP) 10.10.220.0 10.10.220.0 netmask 255.255.255.0
static (LANDHCP,inside) 10.10.230.0 10.10.230.0 netmask 255.255.255.0
This should allow communication between the inside and LANDHCP interfaces.
Hope this helps.
Regards,
NT
08-13-2010 12:32 PM
I am still getting the following, also I cannot ping from a node on the 10.10.220.0 network to 10.10.200.1 which is the interface on the asa.
packet-tracer input inside icmp 10.10.220.101 8 0 10.10.200.1 de$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (LANDHCP,inside) 10.10.200.0 10.10.200.0 netmask 255.255.255.0
match ip LANDHCP 10.10.200.0 255.255.255.0 inside any
static translation to 10.10.200.0
translate_hits = 3, untranslate_hits = 34
Additional Information:
NAT divert to egress interface LANDHCP
Untranslate 10.10.200.0/0 to 10.10.200.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3802b20, priority=500, domain=permit, deny=true
hits=10, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.10.220.101, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: LANDHCP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
edge(config)#
08-13-2010 12:38 PM
Hello,
First of all, you cannot ping an interface IP from workstations connected to
a different interface. The firewall natively blocks that traffic for
security reasons.
I see from your packet tracer that you are trying to ping 10.10.200.1 IP. I
am not seeing that IP in your configuration (may be I am missing something).
Can you please post your current running configuration here?
Regards,
NT
08-15-2010 07:53 AM
try nat exemption for traffic from inside to dhcp interface.
10-12-2010 11:10 AM
There was two issues I had to add nat statements, also I was connecting through the same switch thus creating a loop.
Added nat statements and segmented networks and all works great!
Thank you to everyone who responded.
Stephen
10-29-2011 12:36 AM
hallo stephe, how did u solve it, i have the same problem as u had?
Tony
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: