02-28-2016 07:47 AM - edited 03-12-2019 12:24 AM
I'm a bit stumped. I have an ASA 5506-X (lab) that suddenly stopped permitting traffic through to my internal subnets. When I run a packet trace, I get this, which stumps me because I've configured a rule to let the traffic through:
RADAR# packet-tracer input inside tcp 192.168.0.1 80 192.168.1.1 80 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5d15bced70, priority=1, domain=permit, deny=false
hits=8449, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.2 using egress ifc inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5d15bdf570, priority=500, domain=permit, deny=true
hits=0, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Where else can I look to alleviate this?
02-28-2016 11:03 AM
you may want to check your NAT rules if you have any configured. If you require further assistance please post a full running configuration of the ASA (remove any public IPs, usernames and passwords).
--
Please remember to select a correct answer and rate helpful posts
02-28-2016 11:29 AM
02-28-2016 11:48 AM
you are missing the command "same-security-traffic permit intra-interface"
--
Please remember to select a correct answer and rate helpful posts
02-28-2016 11:55 AM
Hmmm, I put that in but it's still failing:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.0.2 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
RADAR# show running-config same-security-traffic
same-security-traffic permit intra-interface
02-28-2016 02:25 PM
could you also post the packet tracer command you are using.
--
Please remember to select a correct answer and rate helpful posts
02-28-2016 04:30 PM
packet-tracer input inside tcp 192.168.0.1 http 192.168.1.1 http
02-28-2016 06:37 PM
Wow.... it turned out not to be anything relating to the firewall. I had overload configured on the router interface that leads to the firewall, and that was hindering the traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide