cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1853
Views
1
Helpful
5
Replies

FTD Phase: 3 Type: ACCESS-LIST Subtype: log Result: DROP

Hussain Majeed
Level 1
Level 1

I have a server that needs to access DMZ via ssh so it can be patched. 

 

I created an ACL in the inside zone to allow this server access all-dmz zone with any port and dest port ssh. 

 

This is now showing the drop below:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW

 

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW

 

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip ifc inside object-group -Internet object-group FMC_INLINE_dst_rule_ rule-id xx event-log flow-start
access-list CSM_FW_ACL_ remark rule-id xxx : ACCESS POLICY: edge-security-policy - Default
access-list CSM_FW_ACL_ remark rule-id xxxx : L4 RULE: inside_access_in_#xxx

object-group network HCDC-Internet

 

 


Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: dmz-1(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000 flow (NA)/NA

 

 

Any help would be appreciated, thanks

1 Accepted Solution

Accepted Solutions

I did the packet-tracer and did found one Denny ACL above the one I created and the server IP address in that ACL

 

I did make some change to move the ACL above this "access-list CSM_FW_ACL_ advanced deny ip ifc inside object-group -Internet object-group FMC_INLINE_dst_rule_ rule-id xx event-log flow-start"

 

And the traffic now is allowed and working fine. 

 

Thank you for sharing your thoughts. 

View solution in original post

5 Replies 5

Can you do
packet-tracer with keyword detail

if there is ACL in Inside then you need to allow SSH traffic to DMZ if there is no then traffic by default allow pass from high to low security level

need NAT exception in ASA to make Inside bypass dynamic NAT for Inside host to Outside
NAT exception will be
NAT (IN,DMZ) source INSIDE INSIDE destination DMZ-Server DMZ-Server 

also you need ACL in DMZ to allow return traffic from DMZ to IN 

I did the packet-tracer and did found one Denny ACL above the one I created and the server IP address in that ACL

 

I did make some change to move the ACL above this "access-list CSM_FW_ACL_ advanced deny ip ifc inside object-group -Internet object-group FMC_INLINE_dst_rule_ rule-id xx event-log flow-start"

 

And the traffic now is allowed and working fine. 

 

Thank you for sharing your thoughts. 

You are so welcome 

> packet-tracer input inside icmp 10.10.116.20 8 0 192.168.44.10 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 21783 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1537f933ed60, priority=13, domain=capture, deny=false
hits=7171, user_data=0x1537f892c350, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 21783 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1537f8788690, priority=1, domain=permit, deny=false
hits=3274, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 19728 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.44.10 using egress ifc outside(vrfid:0)

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 7398 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L7 RULE: DefaultActionRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x1537f93f51a0, priority=12, domain=permit, deny=false
hits=13, user_data=0x153832ff9ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 7398 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1537f83e42d0, priority=0, domain=nat-per-session, deny=true
hits=2295, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 7398 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1537f8a72b30, priority=0, domain=inspect-ip-options, deny=true
hits=270, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=any

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 27126 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x559a7a7684f0, priority=70, domain=qos-per-class, deny=false
hits=418, user_data=0x1537f8d6d150, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 2055 ns
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1537f95e6300, priority=70, domain=inspect-icmp, deny=false
hits=4, user_data=0x1537f8ebeb40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 3288 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1537f8ba0200, priority=70, domain=inspect-icmp-error, deny=false
hits=4, user_data=0x1537f8efba30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=any

Phase: 10
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 31647 ns
Config:
Implicit Rule
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x1537f8f78500, priority=501, domain=permit, deny=true
hits=16, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.44.10, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside(vrfid:0), output_ifc=any

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 149604 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559a5b455ee0 flow (NA)/NA

>

This capture for RA_VPN

Review Cisco Networking for a $25 gift card