Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7161
Views
0
Helpful
9
Replies

Drop-reason: (acl-drop) Flow is denied by configured rule

CY Ko
Level 1
Level 1

‎11-27-2018 01:42 AM - edited ‎02-21-2020 08:30 AM

Actually, I want to allow FTP from outside to inside, but the packet tracer display "Drop-reason: (acl-drop) Flow is denied by configured rule".   I must be wrong something.  I have attached my config.  Any assistance would be greatly appreciated.

Preview file
5 KB
0 Helpful
9 Replies 9

Sheraz.Salim
VIP
VIP

‎11-27-2018 04:57 AM

try this

 

 

object network ANY
 subnet 0.0.0.0 0.0.0.0
nat (outside,inside) source dynamic ANY   interface destination static FTP_Inside FTP_Inside service FTP FTP

                                                       ---    --------

 

"Where ANY is outside world could be any public ip address and interface mean your ASA outside interface"

also

 

remove this

 

no same-security-traffic permit inter-interface
no same-security-traffic permit intra-interface

 

make sure you do this in change window.

 

 

Regards.

please do not forget to rate.
0 Helpful

Sheraz.Salim
VIP
VIP

‎11-27-2018 05:34 AM

I had a look on your config here are my thoughts

 

 


ASA Version 9.1(2)
!
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
//////////////////////NO NEED TO THESE COMMAND////////
no same-security-traffic permit inter-interface
no same-security-traffic permit intra-interface
/////////////////////////////////////////////////////////
!
object network INSIDE_SUBNET
 subnet 192.168.1.0 255.255.255.0
 nat (inside,outside) source dynamic any interface
!
object service FTP
 service tcp destination eq ftp
!
object network FTP_Inside (TRY THIS- DO packet tracer input outside tcp 8.8.8.8 12345 192.168.1.24 ftp detail)
 host 192.168.1.24
  nat (inside,outside) static interface service tcp ftp ftp /////THIS RULE WILL CONNTED THE OUTSIDE CLIENT to ASA OUTSIDE INTERFACE IP, THAN ASA WILL MAPPED THE OUTSIDE IP TO FTP_Inside//////
!
object network FTP_Outside
 host x.x.x.x   (Public IP??)
!
object service Passive_FTP
 service tcp destination range 30000 35000
!
object service passive_FTP
 service tcp destination range 30000 35000
!
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
!
////
access-list Outside_access_in extended permit tcp any host 192.168.1.24
////
no access-list Outside_access_in extended permit tcp object FTP_Outside object FTP_Inside eq ftp
no access-list Outside_access_in extended permit tcp object FTP_Outside object FTP_Inside eq ftp-data
no access-list Outside_access_in extended permit tcp any object FTP_Outside eq ftp
///////////////////////////////////////////////

/////You dont need this as traffic from inside to outside (higher to lower) does not need access-rule////
no access-list inside_access_in extended permit ip any any
///////////////////////////////////////////////////////////
access-list global_access extended permit tcp any any


//////////////////////////////////DONT NEED THIS//////////////////////
nat (outside,outside) source dynamic any interface destination static FTP_Inside FTP_Inside service FTP FTP
/////////////////////////////////////////////////////////////////////////////////////////////////////////////


access-group Outside_access_in in interface outside

/////////////////////////////////NO NEED THIS////////////////////
access-group inside_access_in in interface inside
/////////////////////////////////////////////////////////////////////////



access-group global_access global
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

please do not forget to rate.
0 Helpful

CY Ko
Level 1
Level 1
In response to Sheraz.Salim

‎11-27-2018 06:08 PM

Dear sherazrose,

1. object network FTP_Inside (TRY THIS- DO packet tracer input outside tcp 8.8.8.8 12345 192.168.1.24 ftp detail)
host 192.168.1.24
Ans: It still the same problem.

2. host x.x.x.x (Public IP??)
Ans:Yes

What should I next step? Thanks.
0 Helpful

mkazam001
Level 3
Level 3

‎11-27-2018 06:51 AM

you need these cmds to allow the asa to keep the connections in the state table:

policy-map global_policy

class inspection_default

inspect ftp

ensure you have both of these in the object group:

object-group service obj-ftp tcp

port-object eq ftp

port-object eq ftp-data

access-list outside-in extended permit tcp any host ftp-svr-ip object-group obj-ftp       - enter actual svr ip

try packet-tracer input outside tcp source-ip 12345 ftp-svr-ip 21 det - to get info on where the problem may lie     - enter actual ftp server ip

regards, mk

please rate if helpful or solved :)

0 Helpful

Sheraz.Salim
VIP
VIP
In response to mkazam001

‎11-27-2018 07:01 AM

hi mkazam001 i thought the nat problem issue as if you see the nat statement its wrong?

please do not forget to rate.
0 Helpful

mkazam001
Level 3
Level 3
In response to Sheraz.Salim

‎11-27-2018 07:09 AM

i didn't mention that as you already had - nat (outside,outside) is incorrect

regards, mk

0 Helpful

CY Ko
Level 1
Level 1
In response to mkazam001

‎11-27-2018 10:08 PM

Dear mkazam001,

After that, it still the same problem. Do you have any idea what's problem is it?
0 Helpful

Sheraz.Salim
VIP
VIP
In response to CY Ko

‎11-28-2018 07:31 AM

yes fix you nat statement.

please do not forget to rate.
0 Helpful

venkat_n7
Level 1
Level 1

‎11-27-2018 08:13 PM

looks like, it should be nat issue. and also use "object-group's" instead of "object network's" to be more clear with config. 

creat an object grroup for ftp ports and add them in it and then use in acl to allow.

Please rate comments and support
with regards,
Venkat
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card