Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2532
Views
0
Helpful
16
Replies

ASA5506-x public server - Flow is denied by configured rule -

AntonioFerrara75252
Level 1
Level 1

‎03-08-2020 01:54 AM

Hello all,

 

New to the forums and the Cisco ASA 5506-X.

I have tried to create a Public Server using

ASDM --> Configuration --> Firewall --> Public Server  

I had no errors in the creation phase.

I then tried to test using the command: 

packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed

but i get the following error: 

(acl-drop) Flow is denied by configured rule

in detail, the answer was the following: 

Result of the command: "packet-tracer input outside tcp 192.168.1.16 http 10.0.0.12 http detailed"

Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10bb004df0, priority=13, domain=punt, deny=false
	hits=6744, user_data=0x7f10bb51ea40, cs_id=0x0, l3_type=0x8
	src mac=0000.0000.0000, mask=0000.0000.0000
	dst mac=0000.0000.0000, mask=0000.0000.0000
	input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10ba9e6ab0, priority=1, domain=permit, deny=false
	hits=6654, user_data=0x0, cs_id=0x0, l3_type=0x8
	src mac=0000.0000.0000, mask=0000.0000.0000
	dst mac=0000.0000.0000, mask=0100.0000.0000
	input_ifc=outside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.12 using egress ifc  inside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any4 object dmz_in eq www 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10ba5c9f70, priority=13, domain=permit, deny=false
	hits=10, user_data=0x7f10b30c64c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10b9a5d360, priority=0, domain=nat-per-session, deny=false
	hits=4080, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10bb516e50, priority=0, domain=inspect-ip-options, deny=true
	hits=3042, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access in interface outside
access-list outside_access extended permit tcp any4 object dmz_in eq www 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10ba5c9f70, priority=13, domain=permit, deny=false
	hits=11, user_data=0x7f10b30c64c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=80, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10b9a5d360, priority=0, domain=nat-per-session, deny=false
	hits=4081, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f10bb516e50, priority=0, domain=inspect-ip-options, deny=true
	hits=3043, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network dmz_in
 nat (inside_1,outside) static dmz_out
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f10bb65a2a0, priority=6, domain=nat-reverse, deny=false
	hits=6, user_data=0x7f10ba46f9a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
	dst ip/id=10.0.0.12, mask=255.255.255.255, port=0, tag=any, dscp=0x0
	input_ifc=outside, output_ifc=inside_1

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

the   asa configuration is as follows:

 

Result of the command: "sh run"

: Saved

: 
: Serial Number: JAD23491DFL
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2) 
!
hostname ciscoasa
enable password $sha512$5000$YF7WGccVhZL32TZ5JIVyzw==$Ce6xmlZRIG/9w+0h+1LTtg== pbkdf2
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network dmz_in
 host 10.0.0.12
 description dmz_in
object network dmz_out
 host 192.168.1.40
 description dmz_out
access-list outside_access extended permit tcp any4 object dmz_in eq www 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
object network dmz_in
 nat (inside_1,outside) static dmz_out
access-group outside_access in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.255.255.0 inside_1
http 10.0.0.0 255.255.255.0 inside_2
http 10.0.0.0 255.255.255.0 inside_3
http 10.0.0.0 255.255.255.0 inside_4
http 10.0.0.0 255.255.255.0 inside_5
http 10.0.0.0 255.255.255.0 inside_6
http 10.0.0.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca .........
    
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.0.0.5-10.0.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr aferrara.avvisi@gmail.com
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b11b3962c3121dc7612713d95c49d0af
: end

can you help me?

 

Thanks.

0 Helpful
16 Replies 16

AntonioFerrara75252
Level 1
Level 1
In response to Sheraz.Salim

‎03-10-2020 12:39 PM

Hi Salim,

unfortunately it doesn't work.

Looking at the log I found this:

Routing failed to locate next hop for TCP from outside:192.168.1.16/53064 to inside_1:192.168.1.40/80

Hope it can help you understand the problem.

 

Thanks.

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to AntonioFerrara75252

‎03-10-2020 01:15 PM

check your email drop you a message.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card