05-08-2014 04:14 PM - edited 03-11-2019 09:10 PM
Looking for direction on where to isolate why the source (a.a.a.a) is not able to establish http connection with dst. I see these entries in the logs on the ASA.
Apr 24 2014 18:12:10: %ASA-4-106023: Deny tcp src AHMCORP:a.a.a.a/47991 dst inside:172.16.19.32/80 by access-group "AHMCORP_acl" [0x0, 0x0]
Apr 24 2014 18:23:54: %ASA-4-106023: Deny tcp src AHMCORP:a.a.a.a/50470 dst inside:172.16.19.33/80 by access-group "AHMCORP_acl" [0x0, 0x0]
Please advise.
05-08-2014 07:33 PM
Hi ,
Do you have appropriate firewall rule for this source and destination on your access-list AHMCORP_acl , kindly verify your ACL , have you configured deny statement on your ACL ??
ensure permit rule is above your deny rule .
Syslog message says below information , check on source machine any port scanning attempt is being done
Error Message %PIX|ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by
access_group acl_ID
Explanation A real IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL.
Recommended Action If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.
HTH
sandy.
05-12-2014 01:08 PM
The ACL does not have a deny statement in the configuration; only the implicit deny at the end of the ACL.
05-13-2014 04:09 AM
Hi Randy ,
Do a packet tracer from specfied source and destinatin for further troubleshooting . Share me the output of your packet tracer output .
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788
To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer commandin privileged EXEC configuration mode. To disable packet capture capabilities, use the no form of this command.
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
no packet-tracer
HTH
sandy.
05-23-2014 02:38 PM
I believe the source host(s)/network IPs are missing from the object-group.
Here is unsuccessful packet-tracer output:
asa5545-v8.6(1)2# packet-tracer input AHMCORP tcp x.x.x.x 80 x.x.x.x 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-172.16.19.33-(inside-AHMCORP)
nat (inside,AHMCORP) static x.x.x.x
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/80 to 172.16.19.33/80
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffec8aed620, priority=11, domain=permit, deny=true
hits=29172452, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=AHMCORP, output_ifc=any
Result:
input-interface: AHMCORP
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
asa5545-v8.6(1)2#
Here is successful packet-tracer output:
asa5545-v8.6(1)2# packet-tracer input AHMCORP tcp x.x.x.x 80 x.x.x.x 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-172.16.19.32-(inside-AHMCORP)
nat (inside,AHMCORP) static x.x.x.x
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/80 to 172.16.19.32/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AHMCORP_acl in interface AHMCORP
access-list AHMCORP_acl extended permit tcp object-group corpahm object-group virtwebs object-group prodsvcs log
object-group network corpahm
<removed - source IP of the unsuccessful packet-tracer is not contained in the object-group>
object-group network virtwebs
network-object host 172.16.19.32
network-object host 172.16.19.33
object-group service prodsvcs tcp
port-object eq www
port-object eq https
port-object eq 446
Additional Information:
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-172.16.19.32-(inside-AHMCORP)
nat (inside,AHMCORP) static x.x.x.x
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 505119575, packet dispatched to next module
Result:
input-interface: AHMCORP
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
asa5545-v8.6(1)2#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide