Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
6
Replies

INBOUND ACL in 8.6 code

Jean Paul Enerst
Level 3
Level 3

‎07-08-2013 12:09 PM - edited ‎03-11-2019 07:09 PM

Hi All,

           I am not so familliar with 8.6 code and I am trying to give an outside host access to another host in the DMZ. I have have a NAT set for the host in the DMZ and in the ACL on the outside interface, i have used the local IP(192.168.x.x) in the ACL. I have defied my services(isakmp,esp,gre,ipsec).

When i do a show local host 192.168.x.x, i can see that there is an isakmp connection established

local host: <192.16x.2x.22>,

    TCP flow count/limit = 0/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 2/unlimited

  Conn:

    UDP outside 2x.2xx.x24.19x:500 dmz 192.16x.2x.22:500, idle 0:00:01, bytes 488, flags -

    UDP outside 20x.9x.2xx.132:500 dmz 192.16X.2X.22:500, idle 0:00:00, bytes 1152, flags -

But adminstrator in the other end, keeps telling the tunnel is up! Packet-tracer also shows the packet drop after passing the NAT. But the output above shows  isakmp connection in port 500. I also tried to test the port by telnet to the IP follow by the port number(192.16x.2x.22 500) with no luck.

There packet-tracer information as well...

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.16.200.0   255.255.255.0   dmz

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group from_outside in interface outside

access-list from_outside extended permit object-group Long_vpn_ser object-group DM_INLINE_NETWORK_4 object Long_vpn

object-group service Longview_vpn_ser

description: Services for Long VPN access

service-object gre

service-object esp

service-object ah

service-object udp destination eq isakmp

service-object tcp destination eq ssh

service-object object IPSEC

object-group network DM_INLINE_NETWORK_4

network-object host 2x.9x.2xx.13x

network-object host 21x.2xx.2x4.19x

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (dmz,outside) source static Long_vpn Long_pub

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any help will be greatly appreciate,

Thanks

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎07-08-2013 12:13 PM

Hi,

You are probably using the real IP address as the destination IP address of the "packet-tracer" command and that is why the ASA tells you that the simulated connection would fail the RPF check. Since on the way it doesnt hit any NAT rule but on the back out it hits a NAT rule.

Try the "packet-tracer" output with the public IP address if you want to accurately simulate the incoming packet.

- Jouni

0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Jouni Forss

‎07-08-2013 12:25 PM

Hi Jouni,

              I did figured this part out, but i still don't understans why the other end of the tunnel is up when in my ASA it shows up! Also as i mentioned above, i cannot test port 500 via telnet.Obivious something is wrong but the configuration so simple!

Thanks,

Eddy

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jean Paul Enerst

‎07-08-2013 12:30 PM

Hi,

What is strange about the tunnel being up if everything is allowed and the reason the "packet-tracer" was failing was because the wrong IP address was used?

You cant test ISAKMP / UDP500 with Telnet as telnet is TCP and not UDP.

- Jouni

0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Jouni Forss

‎07-08-2013 12:39 PM

Thanks for help, and did not realized that can't test UDP with this test. Although, i made the same test for ssh and still no access. Please see below in regards to the packet-tracer and result

0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Jean Paul Enerst

‎07-08-2013 12:41 PM

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jean Paul Enerst

‎07-08-2013 12:44 PM

Hi,

You are still using the local IP address the destination.

The "packet-tracer" is meant to simulate the actual packet entering the ASA interface.

When you are testing traffic from the Internet then you will have to use the public NAT IP address as the destination naturally.

On the ACLs ofcourse the destination IP address is the local IP address because of the NAT and ACL format changes in the new software.

Hopefully this clears things up

Please do remember to mark a reply as the correct answer if it answered your question

Ask more if needed naturally

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card