cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1287
Views
0
Helpful
0
Replies

CML ASAv denying all traffic inbound no matter FW config

walter3
Level 1
Level 1

Using CML 2.0 ASA 9.15 ,,

I can ping from firewall to outside resource and to inside resource but ping or telnet through firewalll are denied.. .Is there a license scenario for CML ASAv or Am I missing something in ASAv config. I have run ASA from default config  on Virl many times but no CML and  have not seen this issue. I've trie varius configurations  e with/without ACLs and static NAT etc...

Is there now a default ACL even when none are configured?

 

Here's config and packet tracer. SRC/DST addresses are directly on routers on each side of firewall.

 

 

interface GigabitEthernet0/0
description to GigabitEthernet0/0/0/0.xrv-1
duplex full
no nameif
security-level 0
no ip address
!
interface GigabitEthernet0/0.100
vlan 100
nameif outside
security-level 100
ip address xx.252.out.81 255.255.255.252
!
interface GigabitEthernet0/1
description to Ethernet2/1.nxos-2
duplex full
nameif inside
security-level 100
ip address xx.150.in.236 255.255.255.248


object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0

object network OBJ_GENERIC_ALL
nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 xx.252.out.82 1
route inside 10.0.0.0 255.0.0.0 xx.150.in.235 1

policy-map global_policy
class inspection_default
inspect icmp


ciscoasa(config-network-object)#
ciscoasa(config-network-object)#
ciscoasa(config-network-object)# show logg | i 216
%ASA-3-106014: Deny inbound icmp src inside:xx.150.xx.233 dst outside:216.out.159.254 (type 8, code 0)
%ASA-2-106001: Inbound TCP connection denied from 10.150.xx.233/59451 to 216.out.159.254/22 flags SYN on interface inside

ciscoasa(config-if)# packet-tracer input inside tcp xx.150.in.233 59451 216.out.159.254 ssh

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop xx.252.out.82 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fec695907f0, priority=110, domain=permit, deny=true
hits=1513, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055fa98b8f94d flow (NA)/NA

 

Thanks In Advance

 

 

0 Replies 0
Review Cisco Networking for a $25 gift card