ASA Access-List Denies TCP Response (established) traffic even though XLATE exists

gfisbeck · ‎03-11-2014

Good Evening,

Recently, I'm having difficulty with my home office connectivity. I have a 5510 ASA configured for dynamic PAT using the outside interface. The setup is pretty basic, but I've noticed that HTTP/HTTPS traffic is getting denied coming back into the network even though an XLATE exists:

Mar 11 2014 23:32:16: %ASA-6-106100: access-list internet_in denied tcp outside/205.178.146.249(110) -> inside/192.168.1.135(50727) hit-cnt 1 first hit [0x72adbc92, 0x0]
fis-inet-fw01# show xlate | inc 50727
TCP PAT from inside:192.168.1.135/50727 to outside:50.165.144.4/50727 flags ri idle 0:00:15 timeout 0:05:00
fis-inet-fw01#

If I'm reading this correctly, the "return" traffic is being denied by ACL, but a valid XLATE exists which should permit the traffic. I'm sure I've missed something simple, but I'm having trouble finding it.

Full config below:

*****# show run
: Saved
:
ASA Version 9.1(3)
!
hostname *****
domain-name *****
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***** encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa913-k8.bin
boot system disk0:/asa912-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name *****
object network *****
host 192.168.1.77
access-list inside_in extended permit tcp 192.168.1.0 255.255.255.0 any4
access-list inside_in extended permit ip 192.168.1.0 255.255.255.0 any4
access-list inside_in extended permit icmp any any
access-list internet_in extended permit tcp any object ***** eq 32400
access-list internet_in extended permit icmp any any
access-list internet_in extended deny ip any any log
pager lines 24
logging enable
logging timestamp
logging buffer-size 12000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.1.0 255.255.255.0 inside
icmp permit 192.168.10.0 255.255.255.252 inside
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network *****
nat (inside,outside) static interface service tcp 32400 32400
!
nat (inside,outside) after-auto source dynamic any interface
access-group internet_in in interface outside
access-group inside_in in interface inside
route inside 192.168.1.0 255.255.255.0 192.168.10.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:30:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username ***** password ***** encrypted privilege 15
username ***** password ***** encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:*****
: end
*****#

Karsten Iwen · ‎03-12-2014

At least you are looking at the wrong log-entries. You are talking about HTTP/HTTPS, but the dropped-packet-log ist for POP3. So perhaps the problem is somewhere else.

gfisbeck · ‎03-12-2014

Karsten,

Thanks for the reply. I actually see denied packets for HTTP (80), HTTPS (443), POP3 (110), DNS (UDP53), SMTP (2525), RDP (3389), and other protocols. In each case, if I do a "show xlate" command, I find a PAT xlate in the xlate table that should allow return traffic to come through.

It seems as if the ACL is not respecting the existing XLATE when determining whether or not to allow return traffic.