Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
1
Replies

Changed IP of outside and inside interfaces and rules.... having issues.....

Go to solution
Scott
Level 1
Level 1

‎02-23-2017 11:52 AM - edited ‎03-12-2019 01:58 AM

Had configuration working in LAB. . Just changed IP’s for new test….. now we cannot get into ASDM and access-list are dropping or packets… not sure what is wrong. Below is the configuration and the packet trace. Any help would be GREATLY appreciated.

: Saved

 

:

: Serial Number: FCH204473W4

: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)

:

ASA Version 9.7(1)

!

hostname ciscoasa

enable password sBKYBaafCSjFcId5 encrypted

names

 

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.180.201.60 255.255.255.248

!

interface GigabitEthernet0/1

shutdown

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif Delta

security-level 100

ip address 10.180.206.225 255.255.255.224

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

no nameif

no security-level

no ip address

!

boot system disk0:/asa971-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network RDP-connection

host 10.180.206.240

object service RDP-SERVICE

service tcp destination eq 3389

object service RDP-service

service tcp source eq 3389

object network OPC-connection

host 10.180.206.240

object service OPC-SERVICE

service tcp destination eq 135

access-list 101 extended permit tcp any any eq 21379

access-list 101 extended permit icmp any any echo

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit icmp any any traceroute

access-list 101 extended permit ip 10.180.206.0 255.255.255.224 10.180.201.0 255.255.255.248

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu Delta 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-771.bin

asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

nat (Delta,outside) source static RDP-connection interface service any RDP-service

nat (outside,Delta) source static any any no-proxy-arp

!

object network obj_any

nat (any,outside) dynamic interface

access-group 101 in interface outside

access-group 101 out interface outside

access-group 101 in interface Delta

access-group 101 out interface Delta

router rip

!

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

http server enable

http 10.180.206.0 255.255.255.224 Delta

http 10.180.201.0 255.255.255.248 outside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 10.180.206.0 255.255.255.224 Delta

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

dynamic-access-policy-record DfltAccessPolicy

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:9a8da34dc8cb18c1782f9ffbcd77f2d2

: end

 

Packet Trace:

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac7ed22d0, priority=1, domain=permit, deny=false

        hits=412, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=outside, output_ifc=any

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.180.206.240 using egress ifc  Delta

 

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac7977990, priority=501, domain=permit, deny=true

        hits=1, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=10.180.201.60, mask=255.255.255.255, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=outside, output_ifc=any

 

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: Delta

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-23-2017 02:17 PM

Not sure what source you are trying this from but your http access on the Delta interface is limited to source 10.180.206.0/27.

http 10.180.206.0 255.255.255.224 Delta

This is different from your Delta interface subnet 10.180.206.224/27.

ip address 10.180.206.225 255.255.255.224

You do not seem to have a static route to 10.180.206.0/27, so I am assuming that the http command address is wrong.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-23-2017 02:17 PM

Not sure what source you are trying this from but your http access on the Delta interface is limited to source 10.180.206.0/27.

http 10.180.206.0 255.255.255.224 Delta

This is different from your Delta interface subnet 10.180.206.224/27.

ip address 10.180.206.225 255.255.255.224

You do not seem to have a static route to 10.180.206.0/27, so I am assuming that the http command address is wrong.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card