02-04-2011 10:01 AM - edited 03-11-2019 12:45 PM
ASA 5505 problem
Here I have a ASA 5505 and try it for a small network to configure.
I have used for ASDM, start with wizard.
I use ASA 8.31.
I can ping from inside to outside.
but I can not have Internet access.
I constantly get the following error message in asdm log :
3 Feb 03 2011 06:58:46 106014 194.25.0.70 192.168.5.100 Deny inbound icmp src outside:194.25.0.70 dst inside:192.168.5.100 (type 3, code 3).
when I type the following command:
asa-jpdwe(config)# packet-tracer input inside icmp 192.168.5.100 3 3 194.25.0.70 detailed
I get this error message
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object-group Group-JPD-Wetter an
y
object-group network Group-JPD-Wetter
description: Alle Netzwerkobjekte in Wetter
network-object object Network-Wetter
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9c587a8, priority=13, domain=permit, deny=false
hits=5, user_data=0xc7d9e8e0, cs_id=0x0, use_real_addr, flags=0x0, proto
col=0
src ip/id=192.168.5.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9fbb178, priority=0, domain=inspect-ip-options, deny=true
hits=348, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca6773b8, priority=70, domain=inspect-icmp, deny=false
hits=7, user_data=0xc6fa8088, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9acbd40, priority=70, domain=inspect-icmp-error, deny=false
hits=7, user_data=0xc9dedfd8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
object network Network-Wetter
nat (inside,outside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca57fc70, priority=6, domain=nat, deny=false
hits=34, user_data=0xca63eb90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.5.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I post here my configuration.
I am grateful for any help.
Yours sincerely
Jan
Solved! Go to Solution.
02-07-2011 10:10 AM
I am glad to hear things worked out now.
If possible please mark the question as answered, by yourself, hehe
02-04-2011 10:42 AM
Can you post your nat config? Check if you have a default gateway configured
Sent from Cisco Technical Support iPhone App
02-04-2011 10:57 AM
Hi Jan ,
The logs indicate that you are getting the ICMP replys back on the interface, just create an access list :-
access-list outside_access_in permit icmp any any
access-group outside_access_in in interface outside
as far as deafult route is concerned , i think set route takes care of it and you Dyanmic Nat look good to me , unless 8.3 has some surprice for me too.
Manish
02-04-2011 11:28 AM
I just saw the config. NAT seems fine and yes the setroute should assign you the default gateway.
Packet tracer mentions the traffic is getting drop under the NAT section.
Please try this packet tracer:
packet-tracer input inside icmp 192.168.5.100 8 0 194.25.0.70 detailed
The inspect icmp should take care of the ICMP echo replies so the ACL allowing ICMPis not necessary.
02-07-2011 10:02 AM
Hi Paul
Many thanks for your help
Here you have the result for packet-tracer.
The problem was DNS server at German Telekom, there were all 4 servers out of service.
After changing the DNS server everything works.
Best regards
Jan
asa-jpdwe# packet-tracer input inside icmp 192.168.5.100 8 0 194.25.0.70 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object-group Group-JPD-Wetter an
y
object-group network Group-JPD-Wetter
description: Alle Netzwerkobjekte in Wetter
network-object object Network-Wetter
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcad1bc68, priority=13, domain=permit, deny=false
hits=1388, user_data=0xc8ef9c20, cs_id=0x0, use_real_addr, flags=0x0, pr
otocol=0
src ip/id=192.168.5.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcac5b780, priority=0, domain=inspect-ip-options, deny=true
hits=1539, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb312608, priority=70, domain=inspect-icmp, deny=false
hits=8, user_data=0xcb312400, cs_id=0x0, use_real_addr, flags=0x0, proto
col=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb3144a0, priority=70, domain=inspect-icmp-error, deny=false
hits=8, user_data=0xcb314298, cs_id=0x0, use_real_addr, flags=0x0, proto
col=1
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Network-Wetter
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.5.100/0 to 87.139.210.214/52020
Forward Flow based lookup yields rule:
in id=0xcad19478, priority=6, domain=nat, deny=false
hits=1389, user_data=0xcad19270, cs_id=0x0, use_real_addr, flags=0x0, pr
otocol=0
src ip/id=192.168.5.0, mask=255.255.255.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcacc78f0, priority=0, domain=inspect-ip-options, deny=true
hits=1391, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1545, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
asa-jpdwe#
02-07-2011 10:10 AM
I am glad to hear things worked out now.
If possible please mark the question as answered, by yourself, hehe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide