01-06-2012 07:06 AM - edited 03-11-2019 03:11 PM
I need to connect two internal LANs each of which has ASA as a firewall to outside. One has ASA 5505 with two interfaces and another - ASA 5510 with three interfaces. I managed to pass echo packets from one internal LAN to another, but not the TCP packets. It must be something simple that I missed. Any help will be highly appreciated! Here is the network diagram:
Here is Config from ASA 5510 (i removed obvious settings to save space):
interface Ethernet0/0 nameif outside security-level 0 ip address YY.YY.YY.YY 255.255.255.224 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.35.1 255.255.255.0 ! interface Ethernet0/2 nameif a-02 security-level 100 ip address 192.168.30.250 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name latista.local same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_access_in extended permit icmp any any inactive access-list a-02_access_in extended permit ip any any access-list a-02_access_in extended permit icmp any any inactive access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit icmp any any inactive access-list inside_access_out extended permit ip any any access-list inside_access_out extended permit icmp any any inactive access-list inside_nat0_outbound_1 extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list a-02_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0 access-list a-02_nat0_outbound_1 extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu a-02 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 0 access-list inside_nat0_outbound_1 outside nat (a-02) 0 access-list a-02_nat0_outbound nat (a-02) 0 access-list a-02_nat0_outbound_1 outside access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group inside_access_out out interface inside access-group a-02_access_in in interface a-02 ! router rip version 1 ! route outside 0.0.0.0 0.0.0.0 205.251.79.33 1 route inside 192.168.30.0 255.255.255.0 192.168.30.250 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management http 192.168.35.0 255.255.255.0 inside http 67.208.89.64 255.255.255.224 outside http 4.26.115.0 255.255.255.240 outside http 192.168.30.0 255.255.255.0 a-02 http 192.168.20.0 255.255.255.0 a-02 http 96.255.26.199 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 ! threat-detection basic-threat threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect http ! service-policy global_policy global
On another ASA (ASA 5505) I only configured the Routing and NAT Exemption. Here is that portion:
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip NET_COLO_INT 255.255.255.0 192.168.35.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 NET_COLO_INT 255.255.255.0
route inside 192.168.35.0 255.255.255.0 192.168.30.250 1
Please help!
Solved! Go to Solution.
01-08-2012 08:05 PM
Hello Anatoly,
So the TCP state-bypass did it!
Great to hear everything is working, please mark the question as answered so as you said future users can view the solution of this.
Regards,
Julio
01-06-2012 09:26 AM
Hello Anatoly,
I would remove these nat statements and this static route
no nat (a-02) 0 access-list a-02_nat0_outbound_1 outside
no nat (inside) 0 access-list inside_nat0_outbound_1 outside
no route inside 192.168.30.0 255.255.255.0 192.168.30.250 1
Now please provide the following packet tracer outputs from Asa 5510
packet-tracer input inside tcp 192.168.35.15 1025 192.168.30.47 80
packet-tracer input a-02 tcp 192.168.30.47 1025 192.168.35.15 80
Regards,
Julio
01-06-2012 09:51 AM
Julio, thank you for the answering! Here is the packet tracers info. I ran tracers without removing Route and Nat Exemptions. I will remove them and create another reply with results as well...
Result of the command: "packet-tracer input inside tcp 192.168.35.15 1025 192.168.30.47 80"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.30.0 255.255.255.0 a-02
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (inside) 0 access-list inside_nat0_outbound
match ip inside 192.168.35.0 255.255.255.0 a-02 192.168.30.0 255.255.255.0
NAT exempt
translate_hits = 101, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3230, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: a-02
output-status: up
output-line-status: up
Action: allow
---------------------------- here is the second one ----------------------
Result of the command: "packet-tracer input a-02 tcp 192.168.30.47 1025 192.168.35.15 80"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.35.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group a-02_access_in in interface a-02
access-list a-02_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (a-02) 0 access-list a-02_nat0_outbound
match ip a-02 192.168.30.0 255.255.255.0 inside 192.168.35.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 104
Additional Information:
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface inside
access-list inside_access_out extended permit ip any any
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3236, packet dispatched to next module
Result:
input-interface: a-02
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
01-06-2012 09:53 AM
Hello,
I will wait for the other post
01-06-2012 09:54 AM
I was not able to remove ROUTE - ASA gave error stating Cannnot remove Connected Route. Here are results of tracers without NAT rules:
Result of the command: "packet-tracer input inside tcp 192.168.35.15 1025 192.168.30.47 80"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.30.0 255.255.255.0 a-02
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.35.0 255.255.255.0 a-02 192.168.30.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3248, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: a-02
output-status: up
output-line-status: up
Action: allow
-------------------- Here is the second one ---------------------
Result of the command: "packet-tracer input a-02 tcp 192.168.30.47 1025 192.168.35.15 80"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.35.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group a-02_access_in in interface a-02
access-list a-02_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip a-02 192.168.30.0 255.255.255.0 inside 192.168.35.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 1
Additional Information:
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface inside
access-list inside_access_out extended permit ip any any
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3250, packet dispatched to next module
Result:
input-interface: a-02
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
01-06-2012 10:05 AM
hmm on the packet tracer everything is fine.
Lets do a capture from the host 192.168.35.2 to the host 192.168.30.2
access-list capture permit ip host 192.168.35.2 host 192.168.30.2
access-list capture permit ip host 192.168.30.2 host 192.168.35.2
capture capin access-list capture interface inside
capture capa-02 access-list capture interface a-02
Now I want you to generate some TCP traffic between those hosts.
Then please go to a browser on the inside interface and do the following
https://192.168.30.250/capture/capin/pcap
https://192.168.30.250/capture/capa-02/pcap
And please upload to this case the two files you will get.
Regards,
Do rate if helps
Julio
01-06-2012 10:13 AM
you mentioned that I should use browser in "inside" interface (which is 192.168.35.0 net) - it didn't connect to the firewall. I did it from a-02 net (192.168.30.0) and it did. Although both files had size 0 (e.g. were empty).
01-06-2012 10:14 AM
My bad - I haven't actually put any traffic through! Let me do that real quick...
01-06-2012 10:18 AM
No - still size is 0. I was trying to initiate RDP connection from both sides (TCP 3389) and also did PING. Ping went fine, RDP session timed out. But neither made those pcap had any data in them.
01-06-2012 10:31 AM
Hello Anatolly,
If you do a sh capture capin and show capture capa-02 on the ASA what do you see?
One question you send the ping and the RDP request ( between hosts 192.168.30.2 and 192.168.35.2)
Can I see the capture and ACL configuration for the capture?
01-06-2012 10:52 AM
Good point - it was actually NOT between those. I just did it again for these two IPs. Here is capture for both captures:
asa5510# show capture capa-02
14 packets captured
1: 13:48:29.135704 192.168.35.2 > 192.168.30.2: icmp: echo request
2: 13:48:29.136070 192.168.30.2 > 192.168.35.2: icmp: echo reply
3: 13:48:30.132698 192.168.35.2 > 192.168.30.2: icmp: echo request
4: 13:48:30.132912 192.168.30.2 > 192.168.35.2: icmp: echo reply
5: 13:48:34.636853 192.168.35.2.4654 > 192.168.30.2.23: S 1810127933:1810127933(0) win 65535
6: 13:48:37.507893 192.168.35.2.4654 > 192.168.30.2.23: S 1810127933:1810127933(0) win 65535
7: 13:48:43.523715 192.168.35.2.4654 > 192.168.30.2.23: S 1810127933:1810127933(0) win 65535
8: 13:49:15.998681 192.168.30.2.54837 > 192.168.35.2.23: S 4043652038:4043652038(0) win 5840
35 0,nop,wscale 7>
9: 13:49:15.999093 192.168.35.2.23 > 192.168.30.2.54837: R 661765980:661765980(0) ack 4043652039 win 0
10: 13:49:20.155768 192.168.30.2.39499 > 192.168.35.2.3389: S 824236920:824236920(0) win 5840
74 0,nop,wscale 7>
11: 13:49:20.156150 192.168.35.2.3389 > 192.168.30.2.39499: S 1344822113:1344822113(0) ack 824236921 win 16384
ale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
12: 13:49:20.156363 192.168.30.2.39499 > 192.168.35.2.3389: R 2366458597:2366458597(0) win 0
13: 13:49:22.462607 192.168.35.2.3389 > 192.168.30.2.39499: S 1344822113:1344822113(0) ack 824236921 win 16384
ale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
14: 13:49:23.154151 192.168.30.2.39499 > 192.168.35.2.3389: S 233265947:233265947(0) win 5840
24 0,nop,wscale 7>
14 packets shown
asa5510# show capture capain
ERROR: Capture
asa5510# show capture capin
15 packets captured
1: 13:48:29.135552 192.168.35.2 > 192.168.30.2: icmp: echo request
2: 13:48:29.136208 192.168.30.2 > 192.168.35.2: icmp: echo reply
3: 13:48:30.132683 192.168.35.2 > 192.168.30.2: icmp: echo request
4: 13:48:30.132912 192.168.30.2 > 192.168.35.2: icmp: echo reply
5: 13:48:34.636655 192.168.35.2.4654 > 192.168.30.2.23: S 581861776:581861776(0) win 65535
6: 13:48:37.507862 192.168.35.2.4654 > 192.168.30.2.23: S 581861776:581861776(0) win 65535
7: 13:48:43.523669 192.168.35.2.4654 > 192.168.30.2.23: S 581861776:581861776(0) win 65535
8: 13:49:15.998895 192.168.30.2.54837 > 192.168.35.2.23: S 964875669:964875669(0) win 5840
0,nop,wscale 7>
9: 13:49:15.999032 192.168.35.2.23 > 192.168.30.2.54837: R 0:0(0) ack 964875670 win 0
10: 13:49:20.155967 192.168.30.2.39499 > 192.168.35.2.3389: S 2181402077:2181402077(0) win 5840
4674 0,nop,wscale 7>
11: 13:49:20.156089 192.168.35.2.3389 > 192.168.30.2.39499: S 290418727:290418727(0) ack 2181402078 win 16384
le 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
12: 13:49:22.462561 192.168.35.2.3389 > 192.168.30.2.39499: S 290418727:290418727(0) ack 2181402078 win 16384
le 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
13: 13:49:29.025251 192.168.35.2.3389 > 192.168.30.2.39499: S 290418727:290418727(0) ack 2181402078 win 16384
le 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
14: 13:50:05.156806 192.168.30.2.39499 > 192.168.35.2.3389: S 1438335957:1438335957(0) win 5840
5924 0,nop,wscale 7>
15: 13:50:05.156928 192.168.35.2.3389 > 192.168.30.2.39499: S 302100830:302100830(0) ack 1438335958 win 16384
le 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
15 packets shown
01-06-2012 11:44 AM
Here is the capture ACL info:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any inactive
access-list a-02_access_in extended permit ip any any
access-list a-02_access_in extended permit icmp any any inactive
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any inactive
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any inactive
access-list inside_nat0_outbound_1 extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.35.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list a-02_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list a-02_nat0_outbound_1 extended permit ip 192.168.30.0 255.255.255.0 192.168.35.0 255.255.255.0
access-list capture extended permit ip host 192.168.35.2 host 192.168.30.2
access-list capture extended permit ip host 192.168.30.2 host 192.168.35.2
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu a-02 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (a-02) 0 access-list a-02_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group a-02_access_in in interface a-02
01-06-2012 11:52 AM
Hello Anatoly,
So we are almost done here.
please provide the following capture
capture asp type asp-drop all
then provide the show capture asp | include 192.168.30.2
then provide the show capture asp | include 192.168.35.2
and also :
https://192.168.30.250/capture/capin/pcap
https://192.168.30.250/capture/capa-02/pcap
Regards,
01-06-2012 12:00 PM
Julio,
Here is printout from capture commands in ASA shell:
asa5510(config)# capture asp type asp-drop all
asa5510(config)# show capture asp | include 192.168.30.2
asa5510(config)# show capture asp | include 192.168.35.2
1: 14:54:02.191625 192.168.35.2.138 > 192.168.35.255.138: udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule
asa5510(config)#
Files also attached below (pcap from capin and pcap2 is from capa-02)
Thanks!
- Anatoliy
01-06-2012 12:05 PM
Here is some more from those two new captures after generating traffic (I was attempting to telnet from 192.168.30.2 to 192.168.35.2 port 3389):
asa5510# show capture asp | include 192.168.30.2
2: 14:54:15.457495 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
3: 14:54:31.464957 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
4: 14:54:32.656948 192.168.30.9.138 > 192.168.30.255.138: udp 204 Drop-reason: (acl-drop) Flow is denied by configured rule
5: 14:54:47.477621 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
6: 14:55:03.493413 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
7: 14:55:10.272950 192.168.30.25.138 > 192.168.30.255.138: udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule
8: 14:55:19.515583 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
9: 14:55:35.512088 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
10: 14:55:51.528994 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
11: 14:56:07.551225 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
12: 14:56:23.561860 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
13: 14:56:23.561997 192.168.30.2.138 > 192.168.30.255.138: udp 236 Drop-reason: (acl-drop) Flow is denied by configured rule
14: 14:56:39.564271 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
16: 14:56:50.015349 192.168.30.23.138 > 192.168.30.255.138: udp 215
17: 14:56:55.586746 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
18: 14:57:05.585602 192.168.30.2.137 > 192.168.30.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
19: 14:57:05.585647 192.168.30.2.137 > 192.168.30.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
20: 14:57:07.585678 192.168.30.2.137 > 192.168.30.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
21: 14:57:07.585724 192.168.30.2.137 > 192.168.30.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
22: 14:57:11.593170 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
23: 14:57:27.600081 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
27: 14:57:43.621977 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 14:57:44.483159 192.168.30.7.138 > 192.168.30.255.138: udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule
29: 14:57:54.962505 192.168.30.19.137 > 192.168.30.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
30: 14:57:59.533450 192.168.30.14.137 > 192.168.30.255.137: udp 50
31: 14:57:59.629087 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
32: 14:58:01.953945 192.168.30.6.137 > 192.168.30.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
33: 14:58:08.341031 192.168.30.9.138 > 192.168.30.255.138: udp 201
34: 14:58:09.391916 192.168.30.11.138 > 192.168.30.255.138: udp 201
36: 14:58:15.048200 192.168.30.6.138 > 192.168.30.255.138: udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule
37: 14:58:15.636365 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
40: 14:58:31.657818 192.168.30.21.138 > 192.168.30.255.138: udp 209
43: 14:58:47.664577 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
46: 14:59:03.670650 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
49: 14:59:19.692331 192.168.30.21.138 > 192.168.30.255.138: udp 209 Drop-reason: (acl-drop) Flow is denied by configured rule
52: 14:59:35.700006 192.168.30.21.138 > 192.168.30.255.138: udp 209
53: 14:59:51.707284 192.168.30.21.138 > 192.168.30.255.138: udp 209
56: 15:00:07.744712 192.168.30.21.138 > 192.168.30.255.138: udp 209
57: 15:00:07.744849 192.168.30.8.138 > 192.168.30.255.138: udp 236
59: 15:00:23.750052 192.168.30.21.138 > 192.168.30.255.138: udp 209
60: 15:00:39.757285 192.168.30.21.138 > 192.168.30.255.138: udp 209
61: 15:00:55.779226 192.168.30.21.138 > 192.168.30.255.138: udp 209
62: 15:01:11.779653 192.168.30.21.138 > 192.168.30.255.138: udp 209
63: 15:01:14.614149 192.168.30.2.51264 > 192.168.35.2.3389: R 3892349827:3892349827(0) win 0
64: 15:01:17.612135 192.168.30.2.51264 > 192.168.35.2.3389: S 3356852894:3356852894(0) win 5840
3977 0,nop,wscale 7>
65: 15:01:17.767736 192.168.30.2.51264 > 192.168.35.2.3389: R 4049166377:4049166377(0) win 0
66: 15:01:23.612471 192.168.30.2.51264 > 192.168.35.2.3389: S 2757161395:2757161395(0) win 5840
5477 0,nop,wscale 7>
67: 15:01:24.330457 192.168.30.2.51264 > 192.168.35.2.3389: R 3449474878:3449474878(0) win 0
68: 15:01:27.792561 192.168.30.21.138 > 192.168.30.255.138: udp 209
69: 15:01:35.613219 192.168.30.2.51264 > 192.168.35.2.3389: S 2979565878:2979565878(0) win 5840
8477 0,nop,wscale 7>
asa5510# show capture asp | include 192.168.35.2
1: 14:54:02.191625 192.168.35.2.138 > 192.168.35.255.138: udp 201 Drop-reason: (acl-drop) Flow is denied by configured rule
24: 14:57:40.588928 192.168.35.2.137 > 192.168.35.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
25: 14:57:41.338819 192.168.35.2.137 > 192.168.35.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
26: 14:57:42.088862 192.168.35.2.137 > 192.168.35.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
63: 15:01:14.614149 192.168.30.2.51264 > 192.168.35.2.3389: R 3892349827:3892349827(0) win 0
64: 15:01:17.612135 192.168.30.2.51264 > 192.168.35.2.3389: S 3356852894:3356852894(0) win 5840
3977 0,nop,wscale 7>
65: 15:01:17.767736 192.168.30.2.51264 > 192.168.35.2.3389: R 4049166377:4049166377(0) win 0
66: 15:01:23.612471 192.168.30.2.51264 > 192.168.35.2.3389: S 2757161395:2757161395(0) win 5840
5477 0,nop,wscale 7>
67: 15:01:24.330457 192.168.30.2.51264 > 192.168.35.2.3389: R 3449474878:3449474878(0) win 0
69: 15:01:35.613219 192.168.30.2.51264 > 192.168.35.2.3389: S 2979565878:2979565878(0) win 5840
8477 0,nop,wscale 7>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: