Solved: Dinesh,

marcio.tormente · ‎03-08-2016

Hello Friends,

I change my ASA from 5505 to 5506, and now when I try to access a specific public IP I receive the msg nat-xlate-failed, but this problem occur only with one public IP.

Attach is the error from packet trace

Thanks

Dinesh Moudgil · ‎03-08-2016

From the debug outputs, we can see that ICMP request is going out but we are not getting any ICMP reply.

ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=194 len=32
ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=195 len=32
ICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=196 len=32
ndICMP echo request from inside:192.168.13.61 to outside1:100.69.192.179 ID=1 seq=197 len=32

This proves that we are sending the packet but we are not getting any reply.
Does not look like ASA is doing anything fishy here and is working as expected.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎03-08-2016

Hi

Can you please share your nat statement configuration ? Also what is the ASA version you are running ?

Please share the output of
packet-tracer input inside icmp 192.168.13.3 8 0 100.69.192.179 de

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

Hello Dinesh,

follow the command output

likasa# packet-tracer input inside icmp 192.168.13.3 8 0 100.69.192.179 de

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 189.40.251.175 using egress ifc outside1

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FW-INSIDE in interface inside
access-list FW-INSIDE extended permit icmp object-group LAN any
access-list FW-INSIDE remark BLOQUEIA O RESTO E GERA LOG
object-group network LAN
network-object 192.168.13.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddcd2b50, priority=13, domain=permit, deny=false
hits=1694, user_data=0x7fffe41ae040, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=192.168.13.0, mask=255.255.255.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN-NAT1
nat (inside,outside1) dynamic interface
Additional Information:
Dynamic translate 192.168.13.3/0 to 186.231.97.189/61796
Forward Flow based lookup yields rule:
in id=0x7fffdfad2140, priority=6, domain=nat, deny=false
hits=4630, user_data=0x7fffdf0965b0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside1

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd400b20, priority=0, domain=nat-per-session, deny=true
hits=380234, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbac070, priority=0, domain=inspect-ip-options, deny=true
hits=196955, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde63e350, priority=71, domain=sfr, deny=false
hits=188943, user_data=0x7fffde63c8f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde636ef0, priority=70, domain=inspect-icmp, deny=false
hits=1700, user_data=0x7fffde635260, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbab920, priority=66, domain=inspect-icmp-error, deny=false
hits=1704, user_data=0x7fffddbaae80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffdd400b20, priority=0, domain=nat-per-session, deny=true
hits=380236, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffddb3aa00, priority=0, domain=inspect-ip-options, deny=true
hits=152652, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside1, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 200874, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_sfr
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_sfr
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside1
output-status: up
output-line-status: up
Action: allow

likasa#

Aditya Ganjoo · ‎03-08-2016

Hi,

As per the packet tracer output it is being allowed fine.

Regards.

Aditya

tim.tidwell1020 · ‎03-11-2016

Possible ARP issue on your switch as you changed ASA but are probably using the exact same IP's?

Dinesh Moudgil · ‎03-08-2016

Can you confirm where is this IP 192.168.13.1?

Moreover, the above packet tracer does not show any nat xlate failed.
Can you please share packet tracer output from those IPs where you see this failed message.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

Dinesh,

192.168.13.1 is my router and int this router there is a default router to the ASA 192.168.13.254.

My machine is 192.168.13.61 and I can´t ping or SSH to this specific IP as you can see below

C:\Users\mtormente>tracert 100.69.192.179

Rastreando a rota para 100.69.192.179 com no máximo 30 saltos

1 2 ms 2 ms 3 ms 192.168.13.1
2 * * * Esgotado o tempo limite do pedido.
3 * ^C
C:\Users\mtormente>tracert 100.69.192.179

Rastreando a rota para 100.69.192.179 com no máximo 30 saltos

1 2 ms 2 ms 4 ms 192.168.13.1
2 * ^C
C:\Users\mtormente>ping 100.69.192.179

Disparando 100.69.192.179 com 32 bytes de dados:
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.

Estatísticas do Ping para 100.69.192.179:
Pacotes: Enviados = 4, Recebidos = 0, Perdidos = 4 (100% de
perda),

C:\Users\mtormente>

Dinesh Moudgil · ‎03-08-2016

marcio.,

Please run these captures:
capture asp type asp-drop all

capture capi interface inside match ip host 192.168.13.61 host 100.69.192.179

Then start ping from the host machine 192.168.13.61 and run :
"show cap asp | in 192.168.13.61 " to confirm if any packets are getting dropped on ASA.

Along with this, share the output of:
packet-tracer input inside icmp 192.168.13.61 8 0 100.69.192.179 de

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

Follow the results.

likasa# sh cap asp | in 192.168.13.61
1: 13:51:18.906554 192.168.13.61.137 > 192.168.13.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
3: 13:51:18.911680 192.168.13.61.58263 > 224.0.0.252.5355: udp 22 Drop-reason: (acl-drop) Flow is denied by configured rule
5: 13:51:18.912230 192.168.13.61.51939 > 224.0.0.252.5355: udp 22
8: 13:51:19.314269 192.168.13.61.58263 > 224.0.0.252.5355: udp 22 Drop-reason: (acl-drop) Flow is denied by configured rule
9: 13:51:19.314650 192.168.13.61.51939 > 224.0.0.252.5355: udp 22 Drop-reason: (acl-drop) Flow is denied by configured rule
13: 13:51:19.650204 192.168.13.61.137 > 192.168.13.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
14: 13:51:20.400583 192.168.13.61.137 > 192.168.13.255.137: udp 50 Drop-reason: (sp-security-failed) Slowpath security checks failed
173: 13:51:54.877197 192.168.13.61.137 > 192.168.13.255.137: udp 50
175: 13:51:54.880127 192.168.13.61.56297 > 224.0.0.252.5355: udp 24
181: 13:51:54.963710 192.168.13.61.50261 > 224.0.0.252.5355: udp 30
186: 13:51:55.297347 192.168.13.61.56297 > 224.0.0.252.5355: udp 24
188: 13:51:55.376124 192.168.13.61.50261 > 224.0.0.252.5355: udp 30
192: 13:51:55.634946 192.168.13.61.137 > 192.168.13.255.137: udp 50
196: 13:51:55.783574 192.168.13.61.57128 > 224.0.0.252.5355: udp 30
202: 13:51:56.194051 192.168.13.61.57128 > 224.0.0.252.5355: udp 30
203: 13:51:56.394434 192.168.13.61.137 > 192.168.13.255.137: udp 50
216: 13:52:00.111841 192.168.13.61.53292 > 224.0.0.252.5355: udp 22
217: 13:52:00.112008 192.168.13.61.137 > 192.168.13.255.137: udp 50
221: 13:52:00.521777 192.168.13.61.53292 > 224.0.0.252.5355: udp 22
222: 13:52:00.849534 192.168.13.61.137 > 192.168.13.255.137: udp 50
227: 13:52:01.135994 192.168.13.61.52778 > 224.0.0.252.5355: udp 30
228: 13:52:01.136284 192.168.13.61.54130 > 224.0.0.252.5355: udp 26
229: 13:52:01.137535 192.168.13.61.137 > 192.168.13.255.137: udp 50
230: 13:52:01.137810 192.168.13.61.137 > 192.168.13.255.137: udp 50
231: 13:52:01.138145 192.168.13.61.137 > 192.168.13.255.137: udp 50
233: 13:52:01.426476 192.168.13.61.49534 > 64.233.186.188.5228: S 2462096645:2462096645(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
237: 13:52:01.541872 192.168.13.61.54130 > 224.0.0.252.5355: udp 26
238: 13:52:01.542223 192.168.13.61.52778 > 224.0.0.252.5355: udp 30
240: 13:52:01.607024 192.168.13.61.137 > 192.168.13.255.137: udp 50
243: 13:52:01.639020 192.168.13.61.49535 > 64.233.186.188.5228: S 2764756584:2764756584(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
245: 13:52:01.880157 192.168.13.61.137 > 192.168.13.255.137: udp 50
246: 13:52:01.880249 192.168.13.61.137 > 192.168.13.255.137: udp 50
247: 13:52:01.880523 192.168.13.61.137 > 192.168.13.255.137: udp 50
251: 13:52:01.941479 192.168.13.61.49534 > 64.233.186.188.5228: S 2462096645:2462096645(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
253: 13:52:02.141578 192.168.13.61.49535 > 64.233.186.188.5228: S 2764756584:2764756584(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
255: 13:52:02.459174 192.168.13.61.49534 > 64.233.186.188.5228: S 2462096645:2462096645(0) win 8192 <mss 1460,nop,nop,sackOK>
256: 13:52:02.463293 192.168.13.61.49536 > 64.233.186.188.5228: S 2559980654:2559980654(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
257: 13:52:02.644848 192.168.13.61.137 > 192.168.13.255.137: udp 50
258: 13:52:02.644970 192.168.13.61.137 > 192.168.13.255.137: udp 50
259: 13:52:02.645184 192.168.13.61.137 > 192.168.13.255.137: udp 50
260: 13:52:02.659694 192.168.13.61.49535 > 64.233.186.188.5228: S 2764756584:2764756584(0) win 8192 <mss 1460,nop,nop,sackOK>
262: 13:52:02.968867 192.168.13.61.49536 > 64.233.186.188.5228: S 2559980654:2559980654(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
264: 13:52:03.402811 192.168.13.61.137 > 192.168.13.255.137: udp 50
268: 13:52:03.406030 192.168.13.61.51209 > 224.0.0.252.5355: udp 30
269: 13:52:03.406396 192.168.13.61.62544 > 224.0.0.252.5355: udp 30
270: 13:52:03.406717 192.168.13.61.59828 > 224.0.0.252.5355: udp 26
271: 13:52:03.407495 192.168.13.61.137 > 192.168.13.255.137: udp 50
272: 13:52:03.407785 192.168.13.61.137 > 192.168.13.255.137: udp 50
273: 13:52:03.487432 192.168.13.61.49536 > 64.233.186.188.5228: S 2559980654:2559980654(0) win 8192 <mss 1460,nop,nop,sackOK>
280: 13:52:03.819491 192.168.13.61.62544 > 224.0.0.252.5355: udp 30
281: 13:52:03.819781 192.168.13.61.59828 > 224.0.0.252.5355: udp 26
282: 13:52:03.820086 192.168.13.61.51209 > 224.0.0.252.5355: udp 30
286: 13:52:04.165534 192.168.13.61.137 > 192.168.13.255.137: udp 50
287: 13:52:04.165808 192.168.13.61.137 > 192.168.13.255.137: udp 50
288: 13:52:04.165900 192.168.13.61.137 > 192.168.13.255.137: udp 50
290: 13:52:04.927396 192.168.13.61.137 > 192.168.13.255.137: udp 50
291: 13:52:04.930905 192.168.13.61.137 > 192.168.13.255.137: udp 50
292: 13:52:04.931119 192.168.13.61.137 > 192.168.13.255.137: udp 50
310: 13:52:09.150398 192.168.13.61.137 > 192.168.13.255.137: udp 50
312: 13:52:09.152168 192.168.13.61.49521 > 224.0.0.252.5355: udp 22
314: 13:52:09.569214 192.168.13.61.49521 > 224.0.0.252.5355: udp 22
328: 13:52:09.925336 192.168.13.61.137 > 192.168.13.255.137: udp 50
333: 13:52:10.666774 192.168.13.61.137 > 192.168.13.255.137: udp 50
417: 13:52:21.185094 192.168.13.61.137 > 192.168.13.255.137: udp 50
419: 13:52:21.185979 192.168.13.61.52722 > 224.0.0.252.5355: udp 22
421: 13:52:21.187368 192.168.13.61.49212 > 224.0.0.252.5355: udp 22
432: 13:52:21.597442 192.168.13.61.52722 > 224.0.0.252.5355: udp 22
433: 13:52:21.597899 192.168.13.61.49212 > 224.0.0.252.5355: udp 22
440: 13:52:21.927015 192.168.13.61.137 > 192.168.13.255.137: udp 50
443: 13:52:22.683024 192.168.13.61.137 > 192.168.13.255.137: udp 50

likasa# packet-tracer input inside icmp 192.168.13.61 8 0 100.69.192.179 de

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdf096410, priority=13, domain=capture, deny=false
hits=9629, user_data=0x7fffdf196db0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddba4480, priority=1, domain=permit, deny=false
hits=14106997, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 189.40.251.175 using egress ifc outside1

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group FW-INSIDE in interface inside
access-list FW-INSIDE extended permit icmp object-group LAN any
access-list FW-INSIDE remark BLOQUEIA O RESTO E GERA LOG
object-group network LAN
network-object 192.168.13.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddcd2b50, priority=13, domain=permit, deny=false
hits=1728, user_data=0x7fffe41ae040, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=192.168.13.0, mask=255.255.255.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN-NAT1
nat (inside,outside1) dynamic interface
Additional Information:
Dynamic translate 192.168.13.61/0 to 186.231.97.189/44513
Forward Flow based lookup yields rule:
in id=0x7fffdfad2140, priority=6, domain=nat, deny=false
hits=8941, user_data=0x7fffdf0965b0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside1

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd400b20, priority=0, domain=nat-per-session, deny=true
hits=383114, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbac070, priority=0, domain=inspect-ip-options, deny=true
hits=201267, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde63e350, priority=71, domain=sfr, deny=false
hits=193168, user_data=0x7fffde63c8f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffde636ef0, priority=70, domain=inspect-icmp, deny=false
hits=1734, user_data=0x7fffde635260, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddbab920, priority=66, domain=inspect-icmp-error, deny=false
hits=1738, user_data=0x7fffddbaae80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffdd400b20, priority=0, domain=nat-per-session, deny=true
hits=383116, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffddb3aa00, priority=0, domain=inspect-ip-options, deny=true
hits=156881, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside1, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 205107, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_sfr
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_sfr
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside1
output-status: up
output-line-status: up
Action: allow

Dinesh Moudgil · ‎03-08-2016

Marcio,

It is quite weird since ASP captures show no packet drops on the ASA.
Additionally, ASA shows packet tracer allows everything whereas it was conflicting in the image that you attached initially on the original post.

This clearly shows that it is going out towards outside1 interface. Is it the expected one?
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network LAN-NAT1
nat (inside,outside1) dynamic interface
Additional Information:
Dynamic translate 192.168.13.61/0 to 186.231.97.189/44513
Forward Flow based lookup yields rule:
in id=0x7fffdfad2140, priority=6, domain=nat, deny=false
hits=8941, user_data=0x7fffdf0965b0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.13.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside1

Can you please share output of:
show cap capi
show route

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

I have 02 links, the main link is out from outside1, I didn´t configure the redundance yet.

Follow the commands

likasa# sh cap capi

158 packets captured

1: 13:51:53.027998 192.168.13.61 > 100.69.192.179: icmp: echo request
2: 13:51:57.606947 192.168.13.61 > 100.69.192.179: icmp: echo request
3: 13:52:02.613005 192.168.13.61 > 100.69.192.179: icmp: echo request
4: 13:52:07.593246 192.168.13.61 > 100.69.192.179: icmp: echo request

likasa# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 189.40.251.175 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 189.40.251.175, outside1
S 10.0.55.0 255.255.255.0 [1/0] via 189.40.251.175, outside1
C 177.140.0.0 255.255.252.0 is directly connected, outside
L 177.140.2.240 255.255.255.255 is directly connected, outside
S 189.40.226.80 255.255.255.255 [1/0] via 189.40.251.175, outside1
C 192.168.13.0 255.255.255.0 is directly connected, inside
L 192.168.13.254 255.255.255.255 is directly connected, inside
S 192.168.15.0 255.255.255.0 [1/0] via 192.168.13.1, inside
C 192.168.16.0 255.255.255.0 is directly connected, inside1
L 192.168.16.1 255.255.255.255 is directly connected, inside1

Dinesh Moudgil · ‎03-08-2016

C 192.168.13.0 255.255.255.0 is directly connected, inside

This confirms that we are learning this subnet from inside interface.

S* 0.0.0.0 0.0.0.0 [1/0] via 189.40.251.175, outside1

This shows default route is via outside1 interface

Captures show packets are coming in on inside interface and ASP captures confirm no packets are getting dropped.

Couple of things to confirm:

1. Can you check if you have ICMP inspection enabled or not ?
via "show run policy-map"
2. Is this the only source or destination you are having issue with ?
3. Does the ping to this destination work from a different source IP?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

yes, I have ICMP inspection, follow the command result:

likasa# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
class sfr
sfr fail-open
policy-map outside-policy
class outside-class
priority
!
likasa#

I have only one network inside (192.168.13.0/24), I made a test from differents host and the result is the same.

This problem happen only with this specific IP and the must interresting is, if I change the link for my redundancy, works fine.

All the rule are the same to both links.

Dinesh Moudgil · ‎03-08-2016

So the inspection part is good.

Let us check if you can ping this IP from ASA while using outside1 interface.

Do you mean if you transition the internet connection over to other interface other then outside1 , it starts working fine ?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-08-2016

No, I can´t ping from the ASA to this IP.

Yes, if I change the link to outside, I can comunicate.