cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1009
Views
0
Helpful
3
Replies

ASA Inspect traffic

Antonio Simoes
Level 1
Level 1

Hi,

I have an ASA 5505 SEC license and I made this config:

hostname ciscoasa

enable password xxxxxxxxxxxxxxx encrypted

passwd xxxxxxx2xxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan2

nameif outside

security-level 0

ip address 192.0.10.254 255.255.255.0

!

interface Vlan3

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

ftp mode passive

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 192.168.1.1 /

webvpn

username admin password xxxxxxxxxxxx encrypted privilege 15

!

class-map inside_class

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy_inside

class inside_class

  inspect icmp

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy_inside global

prompt hostname context

call-home reporting anonymous

: end

From the inside to outside :

packet-tracer input inside icmp 192.168.1.1 8 0 192.0.10.1 the result is OK

But when traffic come back:

ciscoasa# packet-tracer input inside icmp 192.0.10.1 8 0 192.168.1.1

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

Can any one explain me why this traffic is droped and not accepted ?

Kind Regards,

AS

1 Accepted Solution

Accepted Solutions

Hi,

if there is a router on the Outside interface which is the border router for Internet access then having a private IP on the Outside interface is not a problem.

the packet-tracer  error is due to the fact that you specified a communication initiated from the outside interface and it is dropped by default if you've got no ACL configured to permit this traffic.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

3 Replies 3

Antonio Simoes
Level 1
Level 1

I was using a private IP in outside interface.

Lame things.

Hi,

if there is a router on the Outside interface which is the border router for Internet access then having a private IP on the Outside interface is not a problem.

the packet-tracer  error is due to the fact that you specified a communication initiated from the outside interface and it is dropped by default if you've got no ACL configured to permit this traffic.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Alan,

About the last post: If ASA have the inspection of traffic active, the ACL of returning traffic should pass the echo-reply?

I have other situation:

In the inside interface I have a ISR 2911/K9 doing router on the stick to all my VLAN´s.

And for one off the VLAN´s(192.168.1.0) I have a remote server that I need contact whith. So I have to do a Site-to-Site VLAN, but I´m confuse about the local network to configure.

It´s the network between the ISR and the ASA or is (192.168.1.0) ?

Kind Regards,

AS

Review Cisco Networking for a $25 gift card