Solved: ASA 8.2 Packet tracer syntax for outside traffic

marktaylor47 · ‎10-18-2012

hi,

what will be packet-tracer syntax to check if outside interface traffic is allowed to get to inside networks

thanks

mark

Julio Carvajal · ‎10-19-2012

Hello Mark,

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

access-list acl-outside extended permit ip 10.170.0.0 255.255.255.0 host 10.8.8.1

You are trying to connect from the lowest security level interface ( outside) to the highest security level interface (inside).

So by default the traffic will be denied unless you configure an ACL allowing the traffic on the outside interface.

So we will need to create one ACL for this traffic.

Now let's talk about the NAT.

There are different kinds of NAT rules. Ones will work unidirectional and others bidirectional.

In this case as the connection will be innitiated on the outside world we need one that allows Inbound connections on our ASA, and we will use a port-mapping rule to do it. So a Port-forwarding ( will be uniderectional and inbound) so that is what we will do

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255 says:

If the ASA receives a packet on port 80 on the outside interface forward it to the host 10.1.1.57 on port 80, this if the connection is allowed via an ACL.

So the ACL access-list acl-outside extended permit ip 10.170.0.0 255.255.255.0 host 10.8.8.1 is required.

That's it! please check your inbox here on the cisco support comunity

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-18-2012

Hello Mark,

Packet-tracer input outside tcp/udp/icmp outside_host_ip 1025 (random port) internal_global_ip 80 (specific application port)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-18-2012

Hi Julio,

Thank you for your reply, it shows that it is blocked, I have attached config, please review to see what's missing, appreciate your help.

thanks

mark

asa# packet-tracer input outside tcp 10.170.0.5 1025 10.1.1.57 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.1.57 255.255.255.255 inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

asa#

Julio Carvajal · ‎10-18-2012

Hello,

Please attach the config again

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-18-2012

sorry, config attached

Julio Carvajal · ‎10-18-2012

Hello Mark,

Do:

static (inside,outside) tcp interface 80 10.1.1.57 80

access-group acl-outside in interface outside

Then give it a try

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-18-2012

Hi,

it failed, here is the output & configuration I added, access group doesn't show up in configuration:

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

asa# int vlan 2

asa(config-if)# access-group acl-outside in interface outside

asa# packet-tracer input outside tcp 10.170.0.5 1025 10.1.1.57 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.1.57 255.255.255.255 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group acl-outside in interface outside

access-list acl-outside extended permit ip 10.170.0.0 255.255.255.0 host 10.1.1.57

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

match tcp inside host 10.1.1.57 eq 80 outside any

static translation to 10.8.8.1/80

translate_hits = 0, untranslate_hits = 0

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

asa#

thanks

mark

Julio Carvajal · ‎10-18-2012

Hello Mark,

Packet tracer syntax is wrong

Do the following

no route inside route inside 10.1.1.57 255.255.255.255 0.1.1.2 1

no route inside 10.1.1.0 255.255.255.0 10.1.1.2 1

Then

packet-tracer input outside tcp 10.170.0.5 1025 10.8.8.1 80

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-18-2012

Hi,

won't let me add the route:

ERROR: Cannot add route, connected route exists

all outside traffic need to go that singl address.

thks

mark

Julio Carvajal · ‎10-18-2012

Hello Mark,

Do not worry, actually I was trying to remove it.

Please run the packet tracer I sent

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-18-2012

Hi,

here is the output, denied.

sa# packet-tracer input outside tcp 10.170.0.5 1025 10.8.8.1 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp interface www 10.1.1.57 www netmask 255.255.255.255

match tcp inside host 10.1.1.57 eq 80 outside any

static translation to 10.8.8.1/80

translate_hits = 0, untranslate_hits = 3

Additional Information:

NAT divert to egress interface inside

Untranslate 10.8.8.1/80 to 10.1.1.57/80 using netmask 255.255.255.255

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

asa#

thks

mark

Julio Carvajal · ‎10-18-2012

Hello Mark,

Show run access-group

If nothing comes out add the following

access-group acl-outside in interface outside

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-19-2012

Hi Julio,

sorry for late reply, it shows up:

asa# sh run access-group

access-group acl-outside in interface outside

asa#

thks

mark

Julio Carvajal · ‎10-19-2012

Hello Mark,

That is weird, looks like we have all we need.

Can you share the updated configuration please?? So I can analize it

Regards.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

marktaylor47 · ‎10-19-2012

Hi Julio,

Pleae see config attached, thank you for all your help. I can ping customer devices from firewall but not from 10.1.1.57.

thks

mark