07-01-2015 11:12 AM - edited 03-11-2019 11:12 PM
I have an ASA 5500 running 8.2(4). There is a static route inside for the 192.168.0.0/24 network to go to 192.168.133.1, which is another router on the firewall's inside network that leads back to their office.
I try pinging from a host in the 192.168.133 network to the 192.168.0 network, and the packet is dropped. A packet-tracer command gives the following output:
4344-FWL001(config)# packet-tracer input inside icmp 192.168.133.100 0 8 192.1$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit icmp any any echo-reply
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc979d518, priority=12, domain=permit, deny=false
hits=9224348, user_data=0xc7959a20, cs_id=0x0, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca36a9a0, priority=7, domain=conn-set, deny=false
hits=172443571, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
hits=385629755, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0b70, priority=66, domain=inspect-icmp-error, deny=false
hits=14153115, user_data=0xc96e0a58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 139551, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97697f0, priority=1, domain=nat, deny=false
hits=139932, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I then try to add the network to the no nat group:
access-list inside_nat0_outbound extended permit ip 192.168.133.0 255.255.255.0 192.168.0.0 255.255.255.0
And the packet-tracer fails on a later step:
4344-FWL001(config)#packet-tracer input inside icmp 192.168.133.100 0 8 192.1$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit icmp any any echo-reply
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc979d518, priority=12, domain=permit, deny=false
hits=9224458, user_data=0xc7959a20, cs_id=0x0, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca36a9a0, priority=7, domain=conn-set, deny=false
hits=172445451, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
hits=385632692, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0b70, priority=66, domain=inspect-icmp-error, deny=false
hits=14153257, user_data=0xc96e0a58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.133.0 255.255.255.0 inside 192.168.0.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc6b95be8, priority=6, domain=nat-exempt, deny=false
hits=1, user_data=0xc9d1d7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.133.0, mask=255.255.255.0, port=0
dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 139551, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97697f0, priority=1, domain=nat, deny=false
hits=139933, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 139551, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9769b48, priority=1, domain=host, deny=false
hits=16003947, user_data=0xc9769730, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 139551, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc97699a0, priority=1, domain=nat-reverse, deny=false
hits=28, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
What am I missing to get this traffic through the ACLs?
07-03-2015 11:12 AM
Both networks reside on the inside, why would traffic traverse through the firewall ?
07-03-2015 12:41 PM
I did not architect their network. Their servers at our location use the firewall as their gateway, and their office connected through a point to point line uses a separate router as its gateway, then traffic to that network from the servers here is supposed to be routed via the firewall to the router.
07-04-2015 06:59 PM
Can you post a diagram ?
07-04-2015 09:15 PM
Hi,
Actually , you need this configuration to make the communication between the ASA (192.168.133.0/24) to (192.168.0.0/24).
global (inside) 1 interface
static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
Thanks and Regards,
Vibhor Amrodia
07-06-2015 10:17 AM
I made some changes after creating this thread. I added both networks to the inside no-nat group and added ACLs. Updated configuration is attached.
The customer is reporting pings are working, but RDP/SQL traffic is not. It looks like the firewall is trying to NAT the traffic to a different network. The packet-tracer output is below.
4344-FWL001# packet-tracer input inside tcp 192.168.133.210 3389 192.168.0.68 $
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit ip 192.168.133.0 255.255.255.0 192.168.0.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca8e5540, priority=12, domain=permit, deny=false
hits=492, user_data=0xc7955c90, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.133.0, mask=255.255.255.0, port=0
dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca36a9a0, priority=7, domain=conn-set, deny=false
hits=173249113, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
hits=386801563, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.133.0 255.255.255.0 inside 192.168.0.0 255.255.255.0
NAT exempt
translate_hits = 576, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca0671d8, priority=6, domain=nat-exempt, deny=false
hits=576, user_data=0xc9d1de38, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.133.0, mask=255.255.255.0, port=0
dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
match ip inside 192.168.0.0 255.255.255.0 inside 192.168.133.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 574
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9d5e870, priority=6, domain=nat-exempt-reverse, deny=false
hits=576, user_data=0xc9d5e1d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.133.0, mask=255.255.255.0, port=0
dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 139552, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97697f0, priority=1, domain=nat, deny=false
hits=140512, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 139552, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9769b48, priority=1, domain=host, deny=false
hits=16028284, user_data=0xc9769730, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 139552, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc97699a0, priority=1, domain=nat-reverse, deny=false
hits=606, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 172.16.0.0 access-list vpn_nat
match ip inside 192.168.0.0 255.255.255.0 outside 10.1.7.0 255.255.255.0
static translation to 172.16.0.0
translate_hits = 114129674, untranslate_hits = 1964376
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xca3691d8, priority=5, domain=host, deny=false
hits=194675064, user_data=0xca5562e0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.0.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
hits=386801565, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 410248530, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
And entries from the logs:
Jul 2 18:21:35 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/63744 to 192.168.0.112/139 flags RST on interface inside
Jul 2 18:21:41 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside
Jul 2 18:21:43 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59611 flags RST on interface inside
Jul 2 18:21:44 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside
Jul 2 18:21:50 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside
Jul 2 18:22:00 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside
Jul 2 18:22:02 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags RST on interface inside
Jul 2 18:22:03 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside
Jul 2 18:22:09 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside
Jul 2 18:22:19 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59640 flags SYN ACK on interface inside
Jul 2 18:22:21 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags RST on interface inside
07-07-2015 08:57 AM
Looks like there is asymmetric routing, can you try using TCP state bypass for the above mentioned traffic, here is the document for your reference:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html
Regards,
Puneesh
07-07-2015 03:55 PM
07-07-2015 06:13 PM
What is the default gateway set on 192.168.133.0 machines ?
07-09-2015 03:58 PM
192.168.133.59
Currently some machines just have a persistent route that directs 192.168.0.0/24 traffic to 192.168.133.1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide