Solved: Can someone verify this Packet-Tracer Output?

techinneed · ‎11-06-2012

Trying to allow inbound access from any host outside to my LAN server on port 995. Thank you so much!

asa5505# pack input outs tcp 4.2.2.2 3232 X.X.X.X 995 ---- X.X.X.X external IP

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp interface 995 192.168.1.2 995 netmask 255.255.255.255

match tcp inside host 192.168.1.2 eq 995 outside any

static translation to X.X.X.X/995

translate_hits = 18, untranslate_hits = 1

Additional Information:

NAT divert to egress interface inside

Untranslate X.X.X.X/995 to 192.168.1.2/995 using netmask 255.255.255.255

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_in in interface outside

access-list outside_in extended permit tcp any host X.X.X.X eq 995

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp interface 995 192.168.1.2 995 netmask 255.255.255.255

match tcp inside host 192.168.1.2 eq 995 outside any

static translation to X.X.X.X/995

translate_hits = 18, untranslate_hits = 1

Additional Information:

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255

match tcp inside host 192.168.1.2 eq 25 outside any

static translation to X.X.X.X/25

translate_hits = 13, untranslate_hits = 2923

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 55801166, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

asa5505#

V S Narayana Chivukula · ‎11-06-2012

Hi,

The packet-tracer shows that packets are allowed from any where on Internet to your server's mapped IP (external interface of the firewall) on port 995. They are getting translated to to real Ip address 192.168.1.2 and the access-list is allowing them. So as per the trace the traffic is allowed through the ASA.

View solution in original post

V S Narayana Chivukula · ‎11-06-2012

Hi,

The packet-tracer shows that packets are allowed from any where on Internet to your server's mapped IP (external interface of the firewall) on port 995. They are getting translated to to real Ip address 192.168.1.2 and the access-list is allowing them. So as per the trace the traffic is allowed through the ASA.