Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5118
Views
5
Helpful
22
Replies

ASA 5510 Port Forwarding Issue

Go to solution
limjohn23
Level 1
Level 1

‎05-01-2017 12:59 PM - edited ‎03-12-2019 02:17 AM

Please help,

For some reason I keep getting denied when configuring port forwarding on an ASA 5510. The current topology is Internet----Modem-----Router--------ASA 5510 (Active/Standby)---------Inside------PHP_TEST

 

If I am allowing to open a web server 192.168.2.5 to be accessed from OUTSIDE with the configuration below, I keep getting denied. Can you please advise what configuration needed. Thanks in advance.

 

object network PHP_TEST

     host 192.168.2.5

nat (INSIDE,OUTSIDE) static interface service tcp 80 80

access-list OutsideToPHPServer permit tcp any host 192.168.2.5 eq www

access-group OutsideToPHPServer in interface OUTSIDE

---------------------------------------------------------------------------

 

Below is my configuration, which I omitted unnecessary config for this issue.

: Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

 

ASA Version 9.1(6)

!

hostname XXXXXXXXXXXXXXXX

domain-name XXXXXXXXXXXXXXXXXXXXXXX

enable password XXXXXXXXXXXXXXXXX encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd XXXXXXXXXXXXXXXX encrypted

names

dns-guard

ip local pool RVPN_User 10.0.0.1-10.0.0.10 mask 255.255.255.0

!

interface Ethernet0/0

description *** Connection to Router Plutus ***

nameif OUTSIDE

security-level 0

ip address 192.168.1.2 255.255.255.0 standby 192.168.1.10

!

interface Ethernet0/1

description *** Connection to DMZ Zone ***

nameif DMZ

security-level 55

ip address 192.168.3.1 255.255.255.0 standby 192.168.3.10

!

interface Ethernet0/2

description *** Connection to LAN ***

nameif INSIDE

security-level 55

ip address 192.168.2.1 255.255.255.0 standby 192.168.2.10

!

interface Ethernet0/3

description *** Available Link ***

shutdown

nameif DMZ2

security-level 55

ip address 192.168.5.1 255.255.255.0

!

interface Management0/0

description LAN Failover Interface

management-only

!

!

 

boot system disk0:/asa916-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup OUTSIDE

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-namexxxxxxxxxxxxxxxxxxxxxxxxxx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network PHP_TEST

host 192.168.2.5

 

object network dmz-subnet

subnet 192.168.3.0 255.255.255.0

object network inside-subnet

subnet 192.168.2.0 255.255.255.0

object network Outside_Network

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_10.0.0.0_28

subnet 10.0.0.0 255.255.255.240

 

object service HTTP

service tcp source eq www

object-group service DM_INLINE_SERVICE_2

service-object tcp-udp destination eq www

service-object tcp destination eq www

service-object udp destination eq www

object-group network DMZ-subnet

network-object 192.168.3.0 255.255.255.0

object-group network opendns-servers

network-object host 208.67.220.220

network-object host 208.67.220.222

object-group network googledns-servers

network-object host 8.8.4.4

network-object host 8.8.8.8

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq www

service-object udp destination eq www

access-list OUTSIDE_access_in extended permit ip any4 any4

access-list DMZ_access_in extended permit ip any4 any4 log disable

access-list OUTSIDE_access_in_1 extended permit ip any any log disable

access-list outside_acl extended permit ip any4 192.168.3.0 255.255.255.0 log disable

access-list outside_acl extended permit ip any4 any4

access-list inbound extended permit ip any4 any4 log disable

access-list global_mpc extended permit ip any any

access-list inside_access_in extended permit ip any4 any4 log disable

access-list inside_access_out extended permit ip any4 any4

pager lines 24

logging enable

logging timestamp

logging trap informational

logging asdm informational

logging host INSIDE 192.168.2.12

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination INSIDE 192.168.2.12 2055

mtu OUTSIDE 1500

mtu DMZ 1500

mtu INSIDE 1500

mtu DMZ2 1500

ip verify reverse-path interface OUTSIDE

failover

failover lan unit primary

failover lan interface FAILOVER Management0/0

failover key *****

failover interface ip FAILOVER 172.16.254.254 255.255.255.0 standby 172.16.254.250

icmp unreachable rate-limit 1 burst-size 1

icmp permit any OUTSIDE

icmp permit any DMZ

icmp permit 192.168.3.0 255.255.255.0 DMZ

asdm image disk0:/asdm-771.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (INSIDE,OUTSIDE) source static PHP_TEST PHP_TEST service HTTP HTTP

!

object network dmz-subnet

nat (DMZ,OUTSIDE) dynamic interface

object network inside-subnet

nat (INSIDE,OUTSIDE) dynamic interface

access-group OUTSIDE_access_in_1 in interface OUTSIDE

access-group DMZ_access_in in interface DMZ

access-group inside_access_out out interface INSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 

no snmp-server location

no snmp-server contact

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=APOLLO

crl configure

crypto ca trustpool policy

 

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable OUTSIDE client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 5

no ssh stricthostkeycheck

ssh 192.168.1.0 255.255.255.0 OUTSIDE

ssh 192.168.3.0 255.255.255.0 DMZ

ssh 192.168.2.0 255.255.255.0 INSIDE

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 216.239.35.0 source OUTSIDE prefer

ssl trust-point ASDM_TrustPoint0 INSIDE

ssl trust-point ASDM_TrustPoint0 OUTSIDE

ssl trust-point ASDM_TrustPoint0 DMZ2

ssl trust-point ASDM_TrustPoint0 DMZ

webvpn

 

!

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class global-class

  flow-export event-type all destination 192.168.2.12

class inspection_default

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect icmp error

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

class class-default

  user-statistics accounting

!

service-policy global_policy global

Labels:
0 Helpful
22 Replies 22

Go to solution
limjohn23
Level 1
Level 1
In response to Ajay Saini

‎05-03-2017 02:27 PM

Hi AJ,

        I deleted my previous configuration and started it again. I am now able to do port forwarding. Many thanks again for your time and help. One more quick question, I am trying to send my Outside Router's syslog to Inside syslogserver. I assume that this is the same concept applies as http.  Please see below.

object network SYSLOG_SERVER
    host 192.168.2.12

nat (INSIDE,OUTSIDE) static interface service udp 514 514

access-list RouterToSyslog permit tcp host 192.168.1.1 host 192.168.2.12 eq 514

access-group RouterToSyslog in interface OUTSIDE

 packet-tracer input outside tcp 192.168.1.1 514 192.168.1.2 515 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.2     255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   OUTSIDE

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae9f3ef0, priority=1, domain=nat-per-session, deny=true
        hits=1223965, user_data=0x0, cs_id=0x0, reverse, use_real_addr,                               flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae09e320, priority=0, domain=permit, deny=true
        hits=125727, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x10                              00, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to limjohn23

‎05-04-2017 05:43 AM

NAT is correct, access-list is incorrect:

It is allowing tcp, we need udp:

what you have:

access-list RouterToSyslog permit tcp host 192.168.1.1 host 192.168.2.12 eq 514

we need below:

access-list RouterToSyslog permit udp host 192.168.1.1 host 192.168.2.12 eq 514

Try and let me know:

-AJ

Go to solution
limjohn23
Level 1
Level 1
In response to Ajay Saini

‎05-04-2017 09:38 AM

Hi AJ,
     Many Thanks again and I greatly appreciate your help. When I ran the packet trace, it shows successful but not getting logs. I'll work on it later.
Anyways my priority is the RDP, with the configuration below, can you pin point why the configuration below keeps
dropping on implicit rule. Please see below with the result.

One more question: when running access-group and access-list, does it needs to be in the same name. All my http/https seems
to be working fine but those config in Access-rule is not showing under ASDM Outside Incoming .

---------------------------------------------------------------------------
object network RemoteDesktop
            host 192.168.2.5
nat (INSIDE,OUTSIDE) static interface service tcp 3389 33399
----------------------------------------------------------------------------
APOLLO(config)# sh run access-list
access-list OUTSIDE_access_in extended permit ip any4 any4
access-list DMZ_access_in extended permit ip any4 any4 log disable
access-list RemoteDesktop extended permit tcp any host 192.168.2.5 eq 3389
access-list outside_acl extended permit ip any4 any4
access-list inbound extended permit ip any4 any4 log disable
access-list global_mpc extended permit ip any any
access-list OutsideToPHPServer extended permit tcp any host 192.168.2.12 eq www
access-list OutsideToPHPServer extended permit ip any any log disable
access-list inside_access_in extended permit ip any4 any4 log disable
access-list inside_access_out extended permit ip any4 any4
access-list RouterToSyslog extended permit ip any any
access-list RouterToSyslog extended permit udp host 192.168.1.1 host 192.168.2.12 eq syslog
access-list OutsideToCam01 extended permit tcp any host 192.168.2.31 eq 8051
access-list OutsideToCam01 extended permit tcp any object PHP_TEST eq www log disable
access-list OutsideToCam01 extended permit udp host 192.168.1.1 object Syslog_Server eq syslog log disable
access-list OutsideToCam01 extended permit ip any any log disable
access-list OutsideToCam01 extended permit tcp any host 192.168.2.5 eq 3389
access-list OutsideToLinuxServer extended permit object-group RDP any host 192.168.2.5 log disable
access-list OutsideToLinuxServer extended permit ip any any log disable
--------------------------------------------------------------------------------
APOLLO(config)# sh run access-group
access-group OutsideToLinuxServer in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
access-group inside_access_out out interface INSIDE
---------------------------------------------------------------------------------
APOLLO(config)# packet-tracer input outside tcp 1.1.1.1 33399 192.168.1.2 3389

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.2     255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae9f3ef0, priority=1, domain=nat-per-session, deny=true
        hits=1318590, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae09e320, priority=0, domain=permit, deny=true
        hits=133215, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=OUTSIDE, output_ifc=any

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to limjohn23

‎05-04-2017 10:51 AM

The packet-tracer is failing because there is no NAT configured for the 192.1681.2 on port 3389.

Yes, the access-list and access-group name have to be same. 

-

AJ

0 Helpful

Go to solution
limjohn23
Level 1
Level 1
In response to Ajay Saini

‎05-04-2017 11:23 AM

Hi AJ,

     Thank you so much, it seems to be working now. I appreciate all the help.

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to limjohn23

‎05-04-2017 11:37 AM

Happy to help!

0 Helpful

Go to solution
limjohn23
Level 1
Level 1
In response to Ajay Saini

‎05-09-2017 09:51 AM

Hi AJ,

   Good day and sorry to bug you again. When you get a chance can you please let me know why the syslog traffic is not passing through. I verified the router via show logging and it’s generating logs; however, I checked the capture and no syslog traffic coming in to outside interface from the router. Please see below.

---------------------------------------------------------------

Router(config)#logging host 192.168.2.12 transport udp port 514

---------------------------------------------------------------

ASA Config allowing udp 514

-----------------------------

object network SYSLOG_SERVER

    host 192.168.2.12

nat (INSIDE,OUTSIDE) static interface service udp 514 514

access-list RouterToSyslog permit udp host 192.168.1.1 host 192.168.2.12 eq 514

-----------------------------

Packet Tracer Result

-----------------------------

ASA(....)#capture capin interface outside match udp any host 192.168.1.2 eq 514

ASA(config-network-object)# show cap capin

0 packet captured

0 packet shown

----------------------------------------------------------------

ASA(config-network-object)# packet-tracer input outside udp 192.168.1.1 514 192.168.1.2 514 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network SYSLOG_SERVER

nat (INSIDE,OUTSIDE) static interface service udp syslog syslog

Additional Information:

NAT divert to egress interface INSIDE

Untranslate 192.168.1.2/514 to 192.168.2.12/514

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   OUTSIDE

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OutsideToLinuxServer in interface OUTSIDE

access-list OutsideToLinuxServer extended permit ip any any log disable

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xae7ca8f0, priority=13, domain=permit, deny=false

       hits=111061, user_data=0xab6b7580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=OUTSIDE, output_ifc=any

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xad9716c0, priority=0, domain=nat-per-session, deny=true

       hits=22516521, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xaa347f68, priority=0, domain=inspect-ip-options, deny=true

       hits=21705799, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=OUTSIDE, output_ifc=any

Phase: 6

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xae0f0480, priority=20, domain=lu, deny=false

       hits=12532, user_data=0x0, cs_id=0x0, flags=0x0, protocol=17

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=OUTSIDE, output_ifc=any

Phase: 7

Type: FLOW-EXPORT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xaec98c40, priority=18, domain=flow-export, deny=false

       hits=395760, user_data=0xadafa7a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=OUTSIDE, output_ifc=any

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xaf270478, priority=13, domain=ipsec-tunnel-flow, deny=true

       hits=267343, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=OUTSIDE, output_ifc=any

Phase: 9

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_out out interface INSIDE

access-list inside_access_out extended permit ip any4 any4

Additional Information:

Forward Flow based lookup yields rule:

out id=0xadae3fc0, priority=13, domain=permit, deny=false

       hits=505301, user_data=0xab6b7a80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=any, output_ifc=INSIDE

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network SYSLOG_SERVER

nat (INSIDE,OUTSIDE) static interface service udp syslog syslog

Additional Information:

Forward Flow based lookup yields rule:

out id=0xae7a9558, priority=6, domain=nat-reverse, deny=false

       hits=2, user_data=0xaf64cef0, cs_id=0x0, use_real_addr, flags=0x0, protocol=17

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=192.168.2.12, mask=255.255.255.255, port=514, tag=0, dscp=0x0

       input_ifc=OUTSIDE, output_ifc=INSIDE

Phase: 11

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xaeda8aa8, priority=0, domain=user-statistics, deny=false

       hits=20906846, user_data=0xadaf0e90, cs_id=0x0, reverse, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=any, output_ifc=INSIDE

Phase: 12

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xad9716c0, priority=0, domain=nat-per-session, deny=true

       hits=22516523, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=any, output_ifc=any

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xa9881dc0, priority=0, domain=inspect-ip-options, deny=true

       hits=21693191, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=INSIDE, output_ifc=any

Phase: 14

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xaedab1c8, priority=0, domain=user-statistics, deny=false

       hits=20842114, user_data=0xadaf0e90, cs_id=0x0, reverse, flags=0x0, protocol=0

       src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

       dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

       input_ifc=any, output_ifc=OUTSIDE

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 22474367, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: INSIDE

output-status: up

output-line-status: up

Action: allow

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to limjohn23

‎05-09-2017 10:23 AM

Hello, 

Looks like the router is not initiating syslog traffic. The captures does not show anything on ASA, that proves that nothing is coming to ASA.

Please check on router config. Not an expert on routers, but have you set up the traps on router:

logging trap

If you take output of show logging, you might get some hint.

https://supportforums.cisco.com/document/24661/how-configure-logging-cisco-ios

-AJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card