Re: Drop-reason: (acl-drop) Flow is denied by configured rule

CY Ko · ‎11-27-2018

Actually, I want to allow FTP from outside to inside, but the packet tracer display "Drop-reason: (acl-drop) Flow is denied by configured rule". I must be wrong something. I have attached my config. Any assistance would be greatly appreciated.

Sheraz.Salim · ‎11-27-2018

try this

object network ANY
subnet 0.0.0.0 0.0.0.0
nat (outside,inside) source dynamic ANY interface destination static FTP_Inside FTP_Inside service FTP FTP

--- --------

"Where ANY is outside world could be any public ip address and interface mean your ASA outside interface"

also

remove this

no same-security-traffic permit inter-interface
no same-security-traffic permit intra-interface

make sure you do this in change window.

Regards.

please do not forget to rate.

Sheraz.Salim · ‎11-27-2018

I had a look on your config here are my thoughts

ASA Version 9.1(2)
!
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
ftp mode passive
//////////////////////NO NEED TO THESE COMMAND////////
no same-security-traffic permit inter-interface
no same-security-traffic permit intra-interface
/////////////////////////////////////////////////////////
!
object network INSIDE_SUBNET
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) source dynamic any interface
!
object service FTP
service tcp destination eq ftp
!
object network FTP_Inside (TRY THIS- DO packet tracer input outside tcp 8.8.8.8 12345 192.168.1.24 ftp detail)
host 192.168.1.24
nat (inside,outside) static interface service tcp ftp ftp /////THIS RULE WILL CONNTED THE OUTSIDE CLIENT to ASA OUTSIDE INTERFACE IP, THAN ASA WILL MAPPED THE OUTSIDE IP TO FTP_Inside//////
!
object network FTP_Outside
host x.x.x.x (Public IP??)
!
object service Passive_FTP
service tcp destination range 30000 35000
!
object service passive_FTP
service tcp destination range 30000 35000
!
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
!
////
access-list Outside_access_in extended permit tcp any host 192.168.1.24
////
no access-list Outside_access_in extended permit tcp object FTP_Outside object FTP_Inside eq ftp
no access-list Outside_access_in extended permit tcp object FTP_Outside object FTP_Inside eq ftp-data
no access-list Outside_access_in extended permit tcp any object FTP_Outside eq ftp
///////////////////////////////////////////////

/////You dont need this as traffic from inside to outside (higher to lower) does not need access-rule////
no access-list inside_access_in extended permit ip any any
///////////////////////////////////////////////////////////
access-list global_access extended permit tcp any any

//////////////////////////////////DONT NEED THIS//////////////////////
nat (outside,outside) source dynamic any interface destination static FTP_Inside FTP_Inside service FTP FTP
/////////////////////////////////////////////////////////////////////////////////////////////////////////////

access-group Outside_access_in in interface outside

/////////////////////////////////NO NEED THIS////////////////////
access-group inside_access_in in interface inside
/////////////////////////////////////////////////////////////////////////

access-group global_access global
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

please do not forget to rate.

CY Ko · ‎11-27-2018

Dear sherazrose,

1. object network FTP_Inside (TRY THIS- DO packet tracer input outside tcp 8.8.8.8 12345 192.168.1.24 ftp detail)
host 192.168.1.24
Ans: It still the same problem.

2. host x.x.x.x (Public IP??)
Ans:Yes

What should I next step? Thanks.

mkazam001 · ‎11-27-2018

you need these cmds to allow the asa to keep the connections in the state table:

policy-map global_policy

class inspection_default

inspect ftp

ensure you have both of these in the object group:

object-group service obj-ftp tcp

port-object eq ftp

port-object eq ftp-data

access-list outside-in extended permit tcp any host ftp-svr-ip object-group obj-ftp - enter actual svr ip

try packet-tracer input outside tcp source-ip 12345 ftp-svr-ip 21 det - to get info on where the problem may lie - enter actual ftp server ip

regards, mk

please rate if helpful or solved :)

Sheraz.Salim · ‎11-27-2018

hi mkazam001 i thought the nat problem issue as if you see the nat statement its wrong?

please do not forget to rate.

mkazam001 · ‎11-27-2018

i didn't mention that as you already had - nat (outside,outside) is incorrect

regards, mk

CY Ko · ‎11-27-2018

Dear mkazam001,

After that, it still the same problem. Do you have any idea what's problem is it?

Sheraz.Salim · ‎11-28-2018

yes fix you nat statement.

please do not forget to rate.

venkat_n7 · ‎11-27-2018

looks like, it should be nat issue. and also use "object-group's" instead of "object network's" to be more clear with config.

creat an object grroup for ftp ports and add them in it and then use in acl to allow.

Please rate comments and support
with regards,
Venkat