12-21-2017 05:46 AM - edited 02-21-2020 07:00 AM
IN-ASA5510-01-03001# packet-tracer input DMZ tcp 10.100.22.100 4562 192.168.106.110 443 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab888a18, priority=1, domain=permit, deny=false
hits=2127, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.106.0 255.255.255.0 DMZ
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit tcp any host 192.168.106.110 eq https
access-list DMZ_access_in remark Rules for DMZ Server to access Internal and External resources
access-list DMZ_access_in remark 192.168.106.51 - Test
access-list DMZ_access_in remark 192.168.106.19 - TMG
access-list DMZ_access_in remark 192.168.106.110 - Kemp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xb2bb7228, priority=12, domain=permit, deny=false
hits=3, user_data=0xa89d5f40, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.106.110, mask=255.255.255.255, port=443, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab88b690, priority=0, domain=permit-ip-option, deny=true
hits=21390, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae062e08, priority=17, domain=flow-export, deny=false
hits=918, user_data=0xade42538, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip DMZ 10.0.0.0 255.0.0.0 DMZ any
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc03ed0, priority=6, domain=nat-exempt, deny=false
hits=0, user_data=0xabc03e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.0.0.0, mask=255.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any OUTSIDE any
no translation group, implicit deny
policy_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab9cbe70, priority=0, domain=host, deny=false
hits=42128, user_data=0xab9cba58, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (DMZ) 1 192.168.106.0 255.255.255.0
nat-control
match ip DMZ 192.168.106.0 255.255.255.0 DMZ any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xabc068a0, priority=1, domain=nat-reverse, deny=false
hits=5, user_data=0xabc06630, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.106.0, mask=255.255.255.0, port=0, dscp=0x0
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
IN-ASA5510-01-03001#
I have a server (192.168.106.110) in the DMZ marked with security level 50. I am trying to get to it from a host on the 10.100.22.0/24 network which will come in via the inside interface.
I have a NAT for 192.168.106.110 to a public. I can access the public IP from the internal network but cannot access the private IP internal.
Packet tracer shows me the output above, but I dont get where its getting hung up on..
12-21-2017 11:00 AM
Hi,
The message is about reverse path. Looks like the packet in getting in through DMZ interface any leaving through another interface.
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any OUTSIDE any
no translation group, implicit deny
policy_hits = 1
Probably this is causing it.
-If I helped you somehow, please, rate it as useful.-
12-21-2017 11:05 AM
In old versions you have to create an exempt nat rule (also called nat 0) to allow communication between interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide