05-01-2017 12:59 PM - edited 03-12-2019 02:17 AM
Please help,
For some reason I keep getting denied when configuring port forwarding on an ASA 5510. The current topology is Internet----Modem-----Router--------ASA 5510 (Active/Standby)---------Inside------PHP_TEST
If I am allowing to open a web server 192.168.2.5 to be accessed from OUTSIDE with the configuration below, I keep getting denied. Can you please advise what configuration needed. Thanks in advance.
object network PHP_TEST
host 192.168.2.5
nat (INSIDE,OUTSIDE) static interface service tcp 80 80
access-list OutsideToPHPServer permit tcp any host 192.168.2.5 eq www
access-group OutsideToPHPServer in interface OUTSIDE
---------------------------------------------------------------------------
Below is my configuration, which I omitted unnecessary config for this issue.
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
ASA Version 9.1(6)
!
hostname XXXXXXXXXXXXXXXX
domain-name XXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXXXXXXX encrypted
names
dns-guard
ip local pool RVPN_User 10.0.0.1-10.0.0.10 mask 255.255.255.0
!
interface Ethernet0/0
description *** Connection to Router Plutus ***
nameif OUTSIDE
security-level 0
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.10
!
interface Ethernet0/1
description *** Connection to DMZ Zone ***
nameif DMZ
security-level 55
ip address 192.168.3.1 255.255.255.0 standby 192.168.3.10
!
interface Ethernet0/2
description *** Connection to LAN ***
nameif INSIDE
security-level 55
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.10
!
interface Ethernet0/3
description *** Available Link ***
shutdown
nameif DMZ2
security-level 55
ip address 192.168.5.1 255.255.255.0
!
interface Management0/0
description LAN Failover Interface
management-only
!
!
boot system disk0:/asa916-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-namexxxxxxxxxxxxxxxxxxxxxxxxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network PHP_TEST
host 192.168.2.5
object network dmz-subnet
subnet 192.168.3.0 255.255.255.0
object network inside-subnet
subnet 192.168.2.0 255.255.255.0
object network Outside_Network
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object service HTTP
service tcp source eq www
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq www
service-object tcp destination eq www
service-object udp destination eq www
object-group network DMZ-subnet
network-object 192.168.3.0 255.255.255.0
object-group network opendns-servers
network-object host 208.67.220.220
network-object host 208.67.220.222
object-group network googledns-servers
network-object host 8.8.4.4
network-object host 8.8.8.8
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq www
service-object udp destination eq www
access-list OUTSIDE_access_in extended permit ip any4 any4
access-list DMZ_access_in extended permit ip any4 any4 log disable
access-list OUTSIDE_access_in_1 extended permit ip any any log disable
access-list outside_acl extended permit ip any4 192.168.3.0 255.255.255.0 log disable
access-list outside_acl extended permit ip any4 any4
access-list inbound extended permit ip any4 any4 log disable
access-list global_mpc extended permit ip any any
access-list inside_access_in extended permit ip any4 any4 log disable
access-list inside_access_out extended permit ip any4 any4
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host INSIDE 192.168.2.12
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination INSIDE 192.168.2.12 2055
mtu OUTSIDE 1500
mtu DMZ 1500
mtu INSIDE 1500
mtu DMZ2 1500
ip verify reverse-path interface OUTSIDE
failover
failover lan unit primary
failover lan interface FAILOVER Management0/0
failover key *****
failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.250
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any DMZ
icmp permit 192.168.3.0 255.255.255.0 DMZ
asdm image disk0:/asdm-771.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source static PHP_TEST PHP_TEST service HTTP HTTP
!
object network dmz-subnet
nat (DMZ,OUTSIDE) dynamic interface
object network inside-subnet
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in_1 in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
access-group inside_access_out out interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=APOLLO
crl configure
crypto ca trustpool policy
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 OUTSIDE
ssh 192.168.3.0 255.255.255.0 DMZ
ssh 192.168.2.0 255.255.255.0 INSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 216.239.35.0 source OUTSIDE prefer
ssl trust-point ASDM_TrustPoint0 INSIDE
ssl trust-point ASDM_TrustPoint0 OUTSIDE
ssl trust-point ASDM_TrustPoint0 DMZ2
ssl trust-point ASDM_TrustPoint0 DMZ
webvpn
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class global-class
flow-export event-type all destination 192.168.2.12
class inspection_default
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
Solved! Go to Solution.
05-03-2017 02:27 PM
Hi AJ,
I deleted my previous configuration and started it again. I am now able to do port forwarding. Many thanks again for your time and help. One more quick question, I am trying to send my Outside Router's syslog to Inside syslogserver. I assume that this is the same concept applies as http. Please see below.
object network SYSLOG_SERVER
host 192.168.2.12
nat (INSIDE,OUTSIDE) static interface service udp 514 514
access-list RouterToSyslog permit tcp host 192.168.1.1 host 192.168.2.12 eq 514
access-group RouterToSyslog in interface OUTSIDE
packet-tracer input outside tcp 192.168.1.1 514 192.168.1.2 515 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.2 255.255.255.255 identity
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 OUTSIDE
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae9f3ef0, priority=1, domain=nat-per-session, deny=true
hits=1223965, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae09e320, priority=0, domain=permit, deny=true
hits=125727, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x10 00, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
05-04-2017 05:43 AM
NAT is correct, access-list is incorrect:
It is allowing tcp, we need udp:
what you have:
access-list RouterToSyslog permit tcp host 192.168.1.1 host 192.168.2.12 eq 514
we need below:
access-list RouterToSyslog permit udp host 192.168.1.1 host 192.168.2.12 eq 514
Try and let me know:
-AJ
05-04-2017 09:38 AM
Hi AJ,
Many Thanks again and I greatly appreciate your help. When I ran the packet trace, it shows successful but not getting logs. I'll work on it later.
Anyways my priority is the RDP, with the configuration below, can you pin point why the configuration below keeps
dropping on implicit rule. Please see below with the result.
One more question: when running access-group and access-list, does it needs to be in the same name. All my http/https seems
to be working fine but those config in Access-rule is not showing under ASDM Outside Incoming .
---------------------------------------------------------------------------
object network RemoteDesktop
host 192.168.2.5
nat (INSIDE,OUTSIDE) static interface service tcp 3389 33399
----------------------------------------------------------------------------
APOLLO(config)# sh run access-list
access-list OUTSIDE_access_in extended permit ip any4 any4
access-list DMZ_access_in extended permit ip any4 any4 log disable
access-list RemoteDesktop extended permit tcp any host 192.168.2.5 eq 3389
access-list outside_acl extended permit ip any4 any4
access-list inbound extended permit ip any4 any4 log disable
access-list global_mpc extended permit ip any any
access-list OutsideToPHPServer extended permit tcp any host 192.168.2.12 eq www
access-list OutsideToPHPServer extended permit ip any any log disable
access-list inside_access_in extended permit ip any4 any4 log disable
access-list inside_access_out extended permit ip any4 any4
access-list RouterToSyslog extended permit ip any any
access-list RouterToSyslog extended permit udp host 192.168.1.1 host 192.168.2.12 eq syslog
access-list OutsideToCam01 extended permit tcp any host 192.168.2.31 eq 8051
access-list OutsideToCam01 extended permit tcp any object PHP_TEST eq www log disable
access-list OutsideToCam01 extended permit udp host 192.168.1.1 object Syslog_Server eq syslog log disable
access-list OutsideToCam01 extended permit ip any any log disable
access-list OutsideToCam01 extended permit tcp any host 192.168.2.5 eq 3389
access-list OutsideToLinuxServer extended permit object-group RDP any host 192.168.2.5 log disable
access-list OutsideToLinuxServer extended permit ip any any log disable
--------------------------------------------------------------------------------
APOLLO(config)# sh run access-group
access-group OutsideToLinuxServer in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
access-group inside_access_out out interface INSIDE
---------------------------------------------------------------------------------
APOLLO(config)# packet-tracer input outside tcp 1.1.1.1 33399 192.168.1.2 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.2 255.255.255.255 identity
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae9f3ef0, priority=1, domain=nat-per-session, deny=true
hits=1318590, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae09e320, priority=0, domain=permit, deny=true
hits=133215, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
05-04-2017 10:51 AM
The packet-tracer is failing because there is no NAT configured for the 192.1681.2 on port 3389.
Yes, the access-list and access-group name have to be same.
-
AJ
05-04-2017 11:23 AM
Hi AJ,
Thank you so much, it seems to be working now. I appreciate all the help.
05-04-2017 11:37 AM
Happy to help!
05-09-2017 09:51 AM
Hi AJ,
Good day and sorry to bug you again. When you get a chance can you please let me know why the syslog traffic is not passing through. I verified the router via show logging and it’s generating logs; however, I checked the capture and no syslog traffic coming in to outside interface from the router. Please see below.
---------------------------------------------------------------
Router(config)#logging host 192.168.2.12 transport udp port 514
---------------------------------------------------------------
ASA Config allowing udp 514
-----------------------------
object network SYSLOG_SERVER
host 192.168.2.12
nat (INSIDE,OUTSIDE) static interface service udp 514 514
access-list RouterToSyslog permit udp host 192.168.1.1 host 192.168.2.12 eq 514
-----------------------------
Packet Tracer Result
-----------------------------
ASA(....)#capture capin interface outside match udp any host 192.168.1.2 eq 514
ASA(config-network-object)# show cap capin
0 packet captured
0 packet shown
----------------------------------------------------------------
ASA(config-network-object)# packet-tracer input outside udp 192.168.1.1 514 192.168.1.2 514 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SYSLOG_SERVER
nat (INSIDE,OUTSIDE) static interface service udp syslog syslog
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 192.168.1.2/514 to 192.168.2.12/514
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 OUTSIDE
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OutsideToLinuxServer in interface OUTSIDE
access-list OutsideToLinuxServer extended permit ip any any log disable
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae7ca8f0, priority=13, domain=permit, deny=false
hits=111061, user_data=0xab6b7580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad9716c0, priority=0, domain=nat-per-session, deny=true
hits=22516521, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaa347f68, priority=0, domain=inspect-ip-options, deny=true
hits=21705799, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae0f0480, priority=20, domain=lu, deny=false
hits=12532, user_data=0x0, cs_id=0x0, flags=0x0, protocol=17
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 7
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaec98c40, priority=18, domain=flow-export, deny=false
hits=395760, user_data=0xadafa7a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaf270478, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=267343, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 9
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface INSIDE
access-list inside_access_out extended permit ip any4 any4
Additional Information:
Forward Flow based lookup yields rule:
out id=0xadae3fc0, priority=13, domain=permit, deny=false
hits=505301, user_data=0xab6b7a80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=INSIDE
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SYSLOG_SERVER
nat (INSIDE,OUTSIDE) static interface service udp syslog syslog
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae7a9558, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0xaf64cef0, cs_id=0x0, use_real_addr, flags=0x0, protocol=17
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.2.12, mask=255.255.255.255, port=514, tag=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=INSIDE
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaeda8aa8, priority=0, domain=user-statistics, deny=false
hits=20906846, user_data=0xadaf0e90, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=INSIDE
Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad9716c0, priority=0, domain=nat-per-session, deny=true
hits=22516523, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xa9881dc0, priority=0, domain=inspect-ip-options, deny=true
hits=21693191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xaedab1c8, priority=0, domain=user-statistics, deny=false
hits=20842114, user_data=0xadaf0e90, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE
Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22474367, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
05-09-2017 10:23 AM
Hello,
Looks like the router is not initiating syslog traffic. The captures does not show anything on ASA, that proves that nothing is coming to ASA.
Please check on router config. Not an expert on routers, but have you set up the traps on router:
logging trap
If you take output of show logging, you might get some hint.
https://supportforums.cisco.com/document/24661/how-configure-logging-cisco-ios
-AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide