Re: Drop with Packet Capture?help - Page 3

Ibrahim Jamil · ‎02-03-2011

Hi Folks

how to start troubleshoot the Below:

the user source address 172.16.3.2 (Behind ASA-1

the destination SIP Server: 10.100.100.100 (Behind ASA-2)

packet-tracer input outside udp 172.16.3.2 4263 10.100.100.100 sip

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

PAUL GILBERT ARIAS · ‎02-04-2011

that is the problem. The packet tracer shows that you initiating traffic from the outside to the inside. You need at least a static translation so that traffic on the outside can reach hosts on the inside. If you prefer you can self translate the traffic so that it can he seen with the real IPs on the outside.

For example:

static (inside,outside) 100.100.100.100 100.100.100.100

this means that the ip 100.100.100.100 is physically on the inside but it can be reached by outside IPs using that same IP. This IP should be know on the outside devices by the proper routing.

Please verify

Ibrahim Jamil · ‎02-04-2011

Hi Paul

the 100.100.100.100 is the ip address of sip server in H,Q Site

in my site, the inside ip address are 172.16.2.0 the outside is 50.50.50.50

so how i translate ?

PAUL GILBERT ARIAS · ‎02-04-2011

Ok. It will be good to understand your topology so that we can follow how the traffic gets to the SIP server.

Still the NAT translation is required.

Can you tell me if there is IP connectivity between your ASA and the IP of the SIP server? Can you ping from the ASA to the ip 100.100.100.100?

If so, that means that routing is good. Based on the deny message it means that the traffic know how to reach the ASA but since there is no NAT translation it gets dropped.

Can you just test adding the static translation I gave you and test with the packet-tracer then check the logs and the result from the packet tracer. After that remove the static and let us know the results.

Ibrahim Jamil · ‎02-04-2011

yes paul,I Can ping the sip server (100.100.100.100) from the asa

still have problem after i add the below and same message still appear

static (inside,outside) 100.100.100.100 100.100.100.100

PAUL GILBERT ARIAS · ‎02-04-2011

very strange. It would be nice to see the configuration you have and the topology involving the SIP server and the subnet that should originate the traffic. Or maybe you can contact TAC support so that they can connect to your ASA remotely and assist you on the phone.

Ibrahim Jamil · ‎02-04-2011

Hi Paul

the SIP Server is 100.100.100.100 in H.Q

my inside lan

172.16.3.0

outside

50.50.50.50

I m Wondering why u translate the remote sip ip address on my ASA's site like static (inside,outside) 100.100.100.100 100.100.100.100 while the outside address in the my asa is 50.50.0.0/16

PAUL GILBERT ARIAS · ‎02-04-2011

Is the 100.100.100.100 on the inside network? or on the outside?

That static translation works if you don't want to translate the traffic and the outside network know how to reach the 100.100.100.X network. If that network is not know then you can use a different static translation using an available outside IP like:

static (inside,outside) 50.50.50.100 100.100.100.100

And the proper ACL allowing the traffic. In this case you already have the ACLs.

The above example is assuming the IP 100.100.100.100 is somewhere on the inside.

Ibrahim Jamil · ‎02-04-2011

Hi Paul

Is the 100.100.100.100 on the inside network? or on the outside?

the SIP Server is 100.100.100.100 in H.Q other site

My Site asa's

inside lan

172.16.3.0

outside

50.50.50.50

Kureli Sankar · ‎02-05-2011

Ibrahim,

I don't think we are still clear on the topology on the ASA2 side:

host(172.16.3.2)-- (in)ASA-1(out 50.50.50.50)----(out)ASA2(in)---SIP server (100.100.100.100)

If ASA1 is supposed to translate 172.16.3.2 to look like 50.50.50.50 when it accesses the SIP server behind ASA2 why does the syslog show this on ASA2?

Feb 04 2011 08:59:17: %ASA-2-106001: Inbound TCP connection denied from 172.16.3.2/5060 to 100.100.100.100/5060 flags SYN on interface outside

It appears that the host is reaching ASA2 will its real IP address. Which is fine, so 50.50.50.50 does not come into the picture at all.

Now, 100.100.100.100 is the real or mapped IP of the SIP server? There has to be static translation or no nat-control on ASA2 for this to work.

"sh run static" - output from ASA2 will help.

-KS