Re: Drop with Packet Capture?help - Page 2

Ibrahim Jamil · ‎02-03-2011

Hi Folks

how to start troubleshoot the Below:

the user source address 172.16.3.2 (Behind ASA-1

the destination SIP Server: 10.100.100.100 (Behind ASA-2)

packet-tracer input outside udp 172.16.3.2 4263 10.100.100.100 sip

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Ibrahim Jamil · ‎02-04-2011

Hi Sankar, r u sure its bolcked by IPS module? if so Pls How to exempt this traffic from being scanned by the ips module,ps help

this is my ACL regarding AIP-SSM

access-list AIP-SSM extended permit ip any any

btw sanker I learnt too much from this conversation,Thank you

Kureli Sankar · ‎02-04-2011

Ibrahim,

You can add a deny line 1 for the flow in question and then test.

access-list AIP-SSM line 1 deny ip host x.x.x.x host y.y.y.y

-KS

Ibrahim Jamil · ‎02-04-2011

Hi Sankar

see the below

Feb 04 2011 07:53:29: %ASA-2-106006: Deny inbound UDP from 172.16.3.2/5060 to 100.100.100.100/5060 on interface outside

PAUL GILBERT ARIAS · ‎02-04-2011

that deny message says that it is being denied on the interface so that means that the ACL you mentioned is not applied on the interface coming in.You should allow the traffic on the interface otherwise the traffic will continue showing as denied on the packet-tracer.

Ibrahim Jamil · ‎02-04-2011

Hi

in the place where i issued the packet-tracer there is ACP permit ip any any on both interfaces inside and outside

PAUL GILBERT ARIAS · ‎02-04-2011

very strange because that syslog message tells it is denied by the interface not by the access-group. Can you send the show run access-list and show run access-group? just to confirm.

Ibrahim Jamil · ‎02-04-2011

Hi

access-list OUT extended permit ip any any
access-list OUT extended permit icmp any any
access-list IN extended permit ip any any
access-list IN extended permit icmp any any

access-group OUT in interface outside
access-group IN in interface inside

PAUL GILBERT ARIAS · ‎02-04-2011

ok, interface ACLs are not the issue. Did you tried what Sankar suggested about making an exemption of the traffic sent to the IPS?

PAUL GILBERT ARIAS · ‎02-04-2011

Is that ACL applied to an interface?

IF you could share the config that will help a lot.

Kureli Sankar · ‎02-04-2011

Without acl deny in the syslog means there is no static traslation to allow the tcp 5060 packet

from outside to inside.

Does this ASA have SIP inspection enabled?
Is there a static 1-1 translation for the SIP server's iP address on this ASA?

Config will certainly help.

-KS

Ibrahim Jamil · ‎02-04-2011

Yes guys

sip inspect is enabled under service-policy

what do y man withthe below

Is there a static 1-1 translation for the SIP server's iP address on this ASA?

PAUL GILBERT ARIAS · ‎02-04-2011

Try Sankar's suggestion:

access-list AIP-SSM line 1 deny ip host 172.16.3.2 host 10.100.100.100

Then try the packet tracer

Ibrahim Jamil · ‎02-04-2011

After traffc exemption from being scanned ,I received the below:

Feb 04 2011 08:59:17: %ASA-2-106001: Inbound TCP connection denied from 172.16.3.2/5060 to 100.100.100.100/5060 flags SYN on interface outside

PAUL GILBERT ARIAS · ‎02-04-2011

By mistake I wrote incorrectly the ACL for the IP. Can you check the destination IP is the IP 100.100.100.100 instead of 10.100.100.100.

Aditionally can you tell us if there is some type of NAT translation for the traffic flowing from the outside to the inside?

Ibrahim Jamil · ‎02-04-2011

Hi

its normal translation on the asa ,I dont have any servers in this site

global (outside) 1 interface
nat (inside) 1 0 0