access-group deny tcp

randydrobinson · ‎05-08-2014

Looking for direction on where to isolate why the source (a.a.a.a) is not able to establish http connection with dst. I see these entries in the logs on the ASA.

Apr 24 2014 18:12:10: %ASA-4-106023: Deny tcp src AHMCORP:a.a.a.a/47991 dst inside:172.16.19.32/80 by access-group "AHMCORP_acl" [0x0, 0x0]

Apr 24 2014 18:23:54: %ASA-4-106023: Deny tcp src AHMCORP:a.a.a.a/50470 dst inside:172.16.19.33/80 by access-group "AHMCORP_acl" [0x0, 0x0]

Please advise.

SANTHOSHKUMAR SARAVANAN · ‎05-08-2014

Hi ,

Do you have appropriate firewall rule for this source and destination on your access-list AHMCORP_acl , kindly verify your ACL , have you configured deny statement on your ACL ??

ensure permit rule is above your deny rule .

Syslog message says below information , check on source machine any port scanning attempt is being done

106023

Error Message    %PIX|ASA-4-106023: Deny protocol src 
[interface_name:source_address/source_port] dst 
interface_name:dest_address/dest_port [type {string}, code {code}] by 
access_group acl_ID

Explanation A real IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL.

Recommended Action If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.

HTH

sandy.

randydrobinson · ‎05-12-2014

The ACL does not have a deny statement in the configuration; only the implicit deny at the end of the ACL.

SANTHOSHKUMAR SARAVANAN · ‎05-13-2014

Hi Randy ,

Do a packet tracer from specfied source and destinatin for further troubleshooting . Share me the output of your packet tracer output .

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788

packet-tracer

To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer commandin privileged EXEC configuration mode. To disable packet capture capabilities, use the no form of this command.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

no packet-tracer

Syntax Description


input src_int	Specifies the source interface for the packet trace.
protocol	Specifies the protocol type for the packet trace. Available protocol type keywords are icmp, rawip, tcp or udp.
src_addr	Specifies the source address for the packet trace.
src_port	Specifies the source port for the packet trace.
dest_addr	Specifies the destination address for the packet trace.
dest_port	Specifies the destination port for the packet trace.
detailed	(Optional) Provides detailed packet trace information.
xml	(Optional) Displays the trace capture in XML format.

HTH

sandy.

randydrobinson · ‎05-23-2014

I believe the source host(s)/network IPs are missing from the object-group.

Here is unsuccessful packet-tracer output:

asa5545-v8.6(1)2# packet-tracer input AHMCORP tcp x.x.x.x 80 x.x.x.x 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-172.16.19.33-(inside-AHMCORP)
nat (inside,AHMCORP) static x.x.x.x
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/80 to 172.16.19.33/80

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffec8aed620, priority=11, domain=permit, deny=true
        hits=29172452, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=AHMCORP, output_ifc=any

Result:
input-interface: AHMCORP
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

asa5545-v8.6(1)2#

Here is successful packet-tracer output:

asa5545-v8.6(1)2# packet-tracer input AHMCORP tcp x.x.x.x 80 x.x.x.x 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-172.16.19.32-(inside-AHMCORP)
nat (inside,AHMCORP) static x.x.x.x
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/80 to 172.16.19.32/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AHMCORP_acl in interface AHMCORP
access-list AHMCORP_acl extended permit tcp object-group corpahm object-group virtwebs object-group prodsvcs log
object-group network corpahm
<removed - source IP of the unsuccessful packet-tracer is not contained in the object-group>
object-group network virtwebs
network-object host 172.16.19.32
network-object host 172.16.19.33
object-group service prodsvcs tcp
port-object eq www
port-object eq https
port-object eq 446
Additional Information:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-172.16.19.32-(inside-AHMCORP)
nat (inside,AHMCORP) static x.x.x.x
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 505119575, packet dispatched to next module

Result:
input-interface: AHMCORP
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

asa5545-v8.6(1)2#