Using CML 2.0 ASA 9.15 ,,
I can ping from firewall to outside resource and to inside resource but ping or telnet through firewalll are denied.. .Is there a license scenario for CML ASAv or Am I missing something in ASAv config. I have run ASA from default config on Virl many times but no CML and have not seen this issue. I've trie varius configurations e with/without ACLs and static NAT etc...
Is there now a default ACL even when none are configured?
Here's config and packet tracer. SRC/DST addresses are directly on routers on each side of firewall.
interface GigabitEthernet0/0
description to GigabitEthernet0/0/0/0.xrv-1
duplex full
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif outside
security-level 100
ip address xx.252.out.81 255.255.255.252
!
interface GigabitEthernet0/1
description to Ethernet2/1.nxos-2
duplex full
nameif inside
security-level 100
ip address xx.150.in.236 255.255.255.248
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
object network OBJ_GENERIC_ALL
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 xx.252.out.82 1
route inside 10.0.0.0 255.0.0.0 xx.150.in.235 1
policy-map global_policy
class inspection_default
inspect icmp
ciscoasa(config-network-object)#
ciscoasa(config-network-object)#
ciscoasa(config-network-object)# show logg | i 216
%ASA-3-106014: Deny inbound icmp src inside:xx.150.xx.233 dst outside:216.out.159.254 (type 8, code 0)
%ASA-2-106001: Inbound TCP connection denied from 10.150.xx.233/59451 to 216.out.159.254/22 flags SYN on interface inside
ciscoasa(config-if)# packet-tracer input inside tcp xx.150.in.233 59451 216.out.159.254 ssh
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop xx.252.out.82 using egress ifc outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fec695907f0, priority=110, domain=permit, deny=true
hits=1513, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055fa98b8f94d flow (NA)/NA
Thanks In Advance