Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2243
Views
0
Helpful
8
Replies

Allow access to external SFTP site - Packet tracer results

Go to solution
DarylBrooks
Level 1
Level 1

‎01-26-2017 02:51 PM - edited ‎03-12-2019 01:50 AM

Hi,

I'm trying to allow an internal address to access an external SFTP site on port 2022, however there seems to be an access-list denying the packets.

When I run the packet tracer, I receive the below results:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca4b278, priority=11, domain=permit, deny=true
hits=1356658853, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

As there is nothing displayed in the 'Config:' line, how can I decipher the hex ID for the access-list that is causing the packets to be dropped, as there is not an access-list line with that hex value from what I can see in the config.

Thanks,

Daryl

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to DarylBrooks

‎01-26-2017 03:43 PM

Check the LINKSSG interface ACL, and most likely you will have to add an entry to it to allow this traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to DarylBrooks

‎01-26-2017 04:02 PM

If there is an access list applied to the interface then the security level isn't condidered.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marius Gunnerud
VIP
VIP

‎01-26-2017 03:02 PM

Could you post the full output of the packet tracer?  The ACL in question is asigned to the input interface of the packet.  If you have configured an ACL entry for this traffic then chances are that either the ACL is incorrect or the packet tracer is incorrect.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
DarylBrooks
Level 1
Level 1
In response to Marius Gunnerud

‎01-26-2017 03:12 PM

Thanks for your reply, please see the full output below:

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

 

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xaca4b278, priority=11, domain=permit, deny=true

        hits=1356658853, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

 

Result:

input-interface: LINKSSG

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to DarylBrooks

‎01-26-2017 03:24 PM

Are the outside and LINKSSG interface at the same security level? The implicit drop may be due to the same security level rule not enabled. It won't show an acl name in packet tracer then.

0 Helpful

Go to solution
DarylBrooks
Level 1
Level 1
In response to Rahul Govindan

‎01-26-2017 03:54 PM

They currently have different security levels:

interface Ethernet0/1
nameif LINKSSG
security-level 10

interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to DarylBrooks

‎01-26-2017 04:02 PM

If there is an access list applied to the interface then the security level isn't condidered.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
DarylBrooks
Level 1
Level 1
In response to Marius Gunnerud

‎01-26-2017 04:39 PM

You were right, it appears an access-list 'inside_access_out' was applied to the interface linkssg.

I applied the below command: 

access-list inside_access_out line 132 extended permit tcp host 10.150.115.209 any eq 2022

All is now working, my problem was that I was trying to create a rule using a new access-list 'SFTPTest' as a test, rather than adding a line to the existing access list, which was applied to the interface.

Thanks to those that helped!

Daryl

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to DarylBrooks

‎01-26-2017 03:43 PM

Check the LINKSSG interface ACL, and most likely you will have to add an entry to it to allow this traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
samy.ccnp
Level 1
Level 1

‎01-30-2017 08:09 PM

Hi ,

You have to must configure a ACL on inbound interface to allow this connection as this is being drooped by the Implicit deny Rule.

As once you configure any ACL entry on any of the higher security interface then there is no meaning of default traffic passing behaviour like from higher security zone to lower security zone. 

in that case you have to must define an ACL entry accordingly. 

Thanks.

Pls rememberer to select a correct answer and rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card