Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2039
Views
0
Helpful
3
Replies

ASA 9.1 not allow traffic from inside to outside

Go to solution
Netcruiser
Level 1
Level 1

‎08-21-2019 11:49 AM

Hi everyone, I encounter a problem that really strange and tried different ways can't solve the ASA 5515 9.1 not able to allow traffic from inside to outside.

Any suggest much appreciated. Keith

 

Here is the sanitized config:

asa# sh run
: Saved
:
ASA Version 9.1(1)

enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.10 255.255.255.192
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.248
!

access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit icmp any any
access-list OUTSIDE_OUT extended permit ip any any
access-list OUTSIDE_OUT extended permit icmp any any

icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE-IN in interface outside
access-group OUTSIDE_OUT out interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.65 1

route inside 10.57.1.0 255.255.255.0 10.1.1.2 1

...

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp

...

end

ping from my laptop IP: 10.1.1.3 connect to the g0/1:

ping 8.8.8.8

asa# ICMP echo request from inside:10.1.1.3 to outside:8.8.8.8 ID=1 seq=46 len=32
ICMP echo request translating inside:10.1.1.3 to outside:x.x.x.10
ICMP echo request from inside:10.1.1.3 to outside:8.8.8.8 ID=1 seq=47 len=32
ICMP echo request translating inside:10.1.1.3 to outside:x.x.x.10

 

And no other traffic can go outside.

 

asa# packet-tracer input inside icmp 10.1.1.3 8 0 8.8.8.8

Everything ALLOW

 

asa# packet-tracer input outside icmp 8.8.8.8 8 0 10.1.1.3

till here everything ALLOW

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-21-2019 12:03 PM

Hi,

Can you ping the default gateway (upstream ISP router) from the ASA itself? If that works can you traceroute to 8.8.8.8 and see where it stops.


Your ACL on the outside interface should be configured in the "in" direction, the ACL "OUTSIDE-IN" you appear to have defined does not exist.

 

access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit icmp any any
access-list OUTSIDE_OUT extended permit ip any any
access-list OUTSIDE_OUT extended permit icmp any any

access-group OUTSIDE-IN in interface outside

 

Also the packer-tracer you ran from outside to inside would not work. You have a dynamic nat not a static 121 nat.

 

HTH

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Netcruiser
Level 1
Level 1

‎08-21-2019 11:52 AM

missed: access-group INSIDE_IN in interface inside

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎08-21-2019 12:03 PM

Hi,

Can you ping the default gateway (upstream ISP router) from the ASA itself? If that works can you traceroute to 8.8.8.8 and see where it stops.


Your ACL on the outside interface should be configured in the "in" direction, the ACL "OUTSIDE-IN" you appear to have defined does not exist.

 

access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit icmp any any
access-list OUTSIDE_OUT extended permit ip any any
access-list OUTSIDE_OUT extended permit icmp any any

access-group OUTSIDE-IN in interface outside

 

Also the packer-tracer you ran from outside to inside would not work. You have a dynamic nat not a static 121 nat.

 

HTH

 

0 Helpful

Go to solution
Netcruiser
Level 1
Level 1
In response to Rob Ingram

‎08-21-2019 01:27 PM

Thanks RJI, it works!

 

In our other office location, I don't have those two Outside_in access-list and it didn't work.

 

And today my conf has the two access-list needed, as you predicted ;-)

access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit icmp any any
access-list OUTSIDE_OUT extended permit ip any any
access-list OUTSIDE_OUT extended permit icmp any any
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit ip any any

access-group OUTSIDE-IN in interface outside
access-group OUTSIDE_OUT out interface outside
access-group INSIDE_IN in interface inside

 

But I made a stupid mistake using the up layer route gateway, not the direct connect one.

 

Thanks a lot for your help, much appreciated.

Netcruiser

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card