Solved: Re: ASA 5506 interface IP denied by implicit rule

donpepe06 · ‎11-05-2018

Hello guys,

Could you please help me to make it clear why it is happen?

So I have a Cisco ASA 5506-X with Software Version 9.8(2) in live service.

The inside interface sec-level is 100 and the outside is 0.

On inside there is only one rule :

access-list inside-acl extended permit ip any any

access-group inside-acl in interface inside

There is an ipsec VPN ikev1 and the LAN reaches the snmp server over the VPN. The VPN working fine and other host is reach the SNMP server but from the ASA I can not.

When I try to check it in packet-tracer the result is drop by implicit deny, but on inside there is allow any any.

192.168.1.1 ---> ASA LAN IP

192.168.1.2 ---> LAN HOST

172.x.x.x NAT network it is go over the VPN

10.x.x.4 SNMP server

Here are the outputs what i got from packet-tracer:

Not working:

FW# packet-tracer input inside tcp 192.168.1.1 echo 10.x.x.4 echo

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static LAN 172.x.x.x destination static NW_VPN_remote NW_VPN_remote no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 10.x.x.4/7 to 10.x.x.4/7

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule <-------------------------
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Working:

FW# packet-tracer input inside tcp 192.168.1.2 echo 10.x.x.4 echo

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static LAN 172.x.x.x destination static NW_VPN_remote NW_VPN_remote no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 10.x.x.4/7 to 10.x.x.4/7

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-acl in interface inside
access-list inside-acl extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static LAN 172.x.x.x destination static NW_VPN_remote NW_VPN_remote no-proxy-arp
Additional Information:
Static translate 192.168.1.2/7 to 172.x.x.x/7

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static LAN 172.x.x.x destination static NW_VPN_remote NW_VPN_remote no-proxy-arp
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id xxxxxx31, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Thanks.

mkazam001 · ‎11-05-2018

i thought packet tracer was to verify config for transit traffic flowing through the ASA - not sure if it would work using the ASA LAN IP.

also, the normal syntax would be packet tracer input inside icmp source-ip 8 0 dest-ip det

regards

azam

View solution in original post

mkazam001 · ‎11-05-2018

i thought packet tracer was to verify config for transit traffic flowing through the ASA - not sure if it would work using the ASA LAN IP.

also, the normal syntax would be packet tracer input inside icmp source-ip 8 0 dest-ip det

regards

azam

donpepe06 · ‎11-06-2018

Hello

Thanks for answer i tried as you suggested and here is the output:

FW# packet-tracer input inside icmp 192.168.1.1 8 0 10.x.x.4 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static LAN 172.x.x.x destination static NW_VPN_remote NW_VPN_remote no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 10.x.x.4/0 to 10.x.x.4/0

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f61d6db6860, priority=501, domain=permit, deny=true
hits=28, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Abheesh Kumar · ‎11-05-2018

Hi Donpepe06,

Try to do an extended ping and mention your LAN interface (inside) as source.

ASAt# ping
TCP Ping [n]:
Interface: Inside
Target IP address: 10.x.x.4
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.x.x.4, timeout is 2 seconds:

HTH

-Abheesh

donpepe06 · ‎11-06-2018

Hello

There is a same it does not work:

FW# ping
TCP Ping [n]:
Interface: inside
Target IP address: 10.x.x.4
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.x.x.4, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Abheesh Kumar · ‎11-06-2018

Hi, I think this will not work from the Inside Interface.

mkazam001 · ‎11-06-2018

like i said in my original post :)

donpepe06 · ‎11-06-2018

All right guys then it is clear to me.

Thanks for your help.