Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1351
Views
0
Helpful
0
Replies

Implicit deny

DineshRajan2315
Level 1
Level 1

‎09-24-2020 10:31 PM - edited ‎09-25-2020 06:51 AM

Hi People,

I am using ASA ASA5520 SW version 8.2(5)57

I have many subinterfaces in my ASA. The relevant ones are below,

GigabitEthernet0/1.6 DMZ 100

GigabitEthernet0/1.56 WITNESS 74

 

I have allowed traffic from an IP whose route is pointing to DMZ, to an IP whose route is pointing to WITNESS. But Firewall is dropping the traffic. 

The hitcount on all ACLs in the DMZ interface is 0

pac input DMZ tcp 165.136.158.4 1234 155.17.240.140 443 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x88bb9440, priority=12, domain=capture, deny=false
hits=43723345, user_data=0x7615d720, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x714f5290, priority=1, domain=permit, deny=false
hits=50443702565, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 155.17.240.128 255.255.255.224 WITNESS

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f992168, priority=11, domain=permit, deny=true
hits=45899286, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: WITNESS
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Interzone and intrazone same security traffic is permitted(just in case)

 

Can you please help me to understand why firewall is showing this behavior ?

 

Regards,

Dinesh

 

 

Issue resolved.

access-group dmz-15 in interface DMZ

Must have created in the access-group dmz-15 instead of DMZ. My mistake.

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card