Solved: Thanks again for your

blkulwicki07 · ‎10-13-2015

So i have been trying to set things up at home where I have my verizon router ----asa----cisco wireless router and all my host connecting to my csico wireless router.

I have been able to ping everything yet I am unable to ping from my 172.*.*.* to the ASA. I also notice I keep getting the following Deny even though I pretty much have the asa open.

Deny udp src outside:71.252.0.12/53 dst Kulow: 10.0.*.*/38269 by access group "outside_access_in"

Im stumped and would appreciate any help with figuring out why this is happening.

Thanks in advance

Rishabh Seth · ‎10-13-2015

Hi,

The .105 IP resides on outside interface of ASA. On ASA you cannot ping farside interface.

So basically you can ping Kulow interface from wireless network and not the outside interface. This is how ASA is designed.

Regarding deny logs, I think you should verify your config for acls on outside interface.

Check output of show run access-group and verify the acl.

Thanks,

R.Seth

View solution in original post

Rishabh Seth · ‎10-14-2015

So basically you have permitted traffic for a specific group and denied all other traffic.

This looks good and you can fine tune these ACLs to permit/deny traffic as your network grows.

Hope it answers your query.

Thanks,

R.Seth

View solution in original post

Rishabh Seth · ‎10-13-2015

The deny msg is due the acl "outside_access_in".

In case you need to permit some traffic entering the interface on which you this acl applied then add those IPs in the acl.

Also I did not understand how you tried the ping test. Can elaborate on that and explain how the traffic flow is supposed to happen in your topolgy.

Thanks,

R.Seth

blkulwicki07 · ‎10-13-2015

First of all thank you for responding.

So I am trying to create a small network at home with an asa5505 which connects to my verizon router.

So it goes like this:

Verizon Router (192.168.1.0/24)-----(outbound)ASA(kulow 10.0.*.*/248)----Cisco Wireless Router (172.20.*.*)

When I do a ping from 172.20 ip to 192.168.1.5 I receive responds back yet when I ping 192.168.1.105(just example) I get no response and I start seeing the

Deny udp src outside:71.252.0.12/53 dst Kulow: 10.0.*.*/38269 by access group "outside_access_in"

as well as it saying

Deny udp src kulow:10.0.*.*/prot dst outside:173.255.246.13/port by access-group kulow-access-in

make any sense

Julio Carvajal · ‎10-13-2015

Hello,

Those logs are not relative to each other.

You are talking about ICMP packets and the logs talk about DNS responses.

Is 192.168.1.105 a valid host? or no device owns that IP?

Note: as long as you are inspecting ICMP and .105 is not the ASA external interface IP you should be good.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

blkulwicki07 · ‎10-13-2015

Then why would i be getting those Deny's even though I pretty much have everything open to come inbound.

Yes 105 is a valid host its the asa. I am unable to ping the asa from the cisco wireless network. I even put that ip address within the management ssh or https/asdm and still unable to reach the asa.

I guess I am just trying to figure out what is going on with not being able to reach the asa from the wireless network and why i am seeing those Deny's

Again thank you for responding

Rishabh Seth · ‎10-13-2015

Hi,

The .105 IP resides on outside interface of ASA. On ASA you cannot ping farside interface.

So basically you can ping Kulow interface from wireless network and not the outside interface. This is how ASA is designed.

Regarding deny logs, I think you should verify your config for acls on outside interface.

Check output of show run access-group and verify the acl.

Thanks,

R.Seth

blkulwicki07 · ‎10-14-2015

ahhhh ok that makes sense. As far as my sho run access group here is what I have in my config.

Does this look accurate?

access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
access-group Kulow_access_in in interface Kulow

Thank you again

Rishabh Seth · ‎10-14-2015

Hi,

Show access-group shows you have acls applied on inside, outside and Kulow interfaces.

You can check each acl by checking show run access-list.

Hope it helps!!!

Thanks,

R.Seth

Mark the answer as correct if it helps in resolving your query!!!

blkulwicki07 · ‎10-14-2015

Ok so for example here are the acls for each the interfaces that are active

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 any4
access-list outside_access_in extended deny ip any any

access-list Kulow_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 any4
access-list Kulow_access_in extended deny ip any a

Does all look good?

Rishabh Seth · ‎10-14-2015

So basically you have permitted traffic for a specific group and denied all other traffic.

This looks good and you can fine tune these ACLs to permit/deny traffic as your network grows.

Hope it answers your query.

Thanks,

R.Seth

blkulwicki07 · ‎10-14-2015

Thanks again for your knowledge on this. I truly appreciate it!!

ASA 5505 Deny udp src outside to dst kulow by access-group outside_access_in