09-09-2013 03:34 AM - edited 03-11-2019 07:35 PM
Hi,
I have an ASA 5505 SEC license and I made this config:
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxx2xxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan2
nameif outside
security-level 0
ip address 192.0.10.254 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.1.1 /
webvpn
username admin password xxxxxxxxxxxx encrypted privilege 15
!
class-map inside_class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy_inside
class inside_class
inspect icmp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy_inside global
prompt hostname context
call-home reporting anonymous
: end
From the inside to outside :
packet-tracer input inside icmp 192.168.1.1 8 0 192.0.10.1 the result is OK
But when traffic come back:
ciscoasa# packet-tracer input inside icmp 192.0.10.1 8 0 192.168.1.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa#
Can any one explain me why this traffic is droped and not accepted ?
Kind Regards,
AS
Solved! Go to Solution.
09-09-2013 07:09 AM
Hi,
if there is a router on the Outside interface which is the border router for Internet access then having a private IP on the Outside interface is not a problem.
the packet-tracer error is due to the fact that you specified a communication initiated from the outside interface and it is dropped by default if you've got no ACL configured to permit this traffic.
Regards
Alain
Don't forget to rate helpful posts.
09-09-2013 06:24 AM
I was using a private IP in outside interface.
Lame things.
09-09-2013 07:09 AM
Hi,
if there is a router on the Outside interface which is the border router for Internet access then having a private IP on the Outside interface is not a problem.
the packet-tracer error is due to the fact that you specified a communication initiated from the outside interface and it is dropped by default if you've got no ACL configured to permit this traffic.
Regards
Alain
Don't forget to rate helpful posts.
09-09-2013 08:07 AM
Hi Alan,
About the last post: If ASA have the inspection of traffic active, the ACL of returning traffic should pass the echo-reply?
I have other situation:
In the inside interface I have a ISR 2911/K9 doing router on the stick to all my VLAN´s.
And for one off the VLAN´s(192.168.1.0) I have a remote server that I need contact whith. So I have to do a Site-to-Site VLAN, but I´m confuse about the local network to configure.
It´s the network between the ISR and the ASA or is (192.168.1.0) ?
Kind Regards,
AS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide