Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
3
Replies

Only WCCP redirects can access out of inside interface

morphotek
Level 1
Level 1

‎04-14-2015 10:17 AM - edited ‎03-11-2019 10:46 PM

Just setup a ASA 5512x with 9.3 code.  For traffic going from the inside out that goes through our WCCP redirect for HTTP/HTTPS traffic it works fine.  Any traffic that does not use the redirect is being dropped. Inbound traffic to DMZ and Internal servers works fine.   I'm not sure if this is a NAT or ACL related issue.  Below are the access group and access list sections of the config.   Also the per-session xlate deny commands show up at the top of the config i'm not sure if that is the issue or not?

 

Result of the command: "show running-config access-group"

access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group DMZ_access_in in interface DMZ
access-group global_access global

 

Result of the command: "show running-config access-list"

access-list DMZ_access_in remark Allow DMZ to retriev DNS information from mordc01
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_5 172.31.1.0 255.255.255.0 host 10.101.27.24 
access-list DMZ_access_in remark Allow DMZ to send DNS lookups to mordc02
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 172.31.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3 
access-list DMZ_access_in remark Allow CSG to communicate with internal Meta Servers
access-list DMZ_access_in extended permit tcp 172.31.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_1 
access-list DMZ_access_in extended permit udp 172.31.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 object-group Citrix-udp 
access-list DMZ_access_in extended permit icmp 172.31.1.0 255.255.255.0 10.101.27.0 255.255.255.0 
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 10.101.27.0 255.255.255.0 object-group DM_INLINE_TCP_3 
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 10.101.27.0 255.255.255.0 object-group RPC 
access-list DMZ_access_in extended permit tcp host 172.31.1.22 any object-group DM_INLINE_TCP_5 
access-list DMZ_access_in extended permit object-group TCPUDP host 172.31.1.22 object-group DM_INLINE_NETWORK_7 object-group Join_Domain_Ports 
access-list DMZ_access_in extended permit tcp host 172.31.1.22 object-group DM_INLINE_NETWORK_5 object-group Win911_Client_Port 
access-list DMZ_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_NETWORK_11 object-group Drobo_Ports log debugging 
access-list DMZ_access_in extended permit tcp host 172.31.1.22 object-group DM_INLINE_NETWORK_12 object-group Win911_Push_Port 
access-list DMZ_access_in extended permit tcp 172.31.1.0 255.255.255.0 host 10.101.27.70 eq www 
access-list Outside_access_in remark citrix.morphotek.com traffic
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object OUTSIDE_CITRIX_IP 
access-list Outside_access_in remark mo-csg.morphotek.com traffic
access-list Outside_access_in extended permit tcp any object OUTSIDE_CITRIXTEST_IP object-group DM_INLINE_TCP_4 
access-list Outside_access_in remark Allow email traffic In to morspam01
access-list Outside_access_in extended permit tcp any object OUTSIDE_MAIL_IP eq smtp 
access-list Outside_access_in remark Allow http/https traffic to mail for OWA and OMA
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any object OUTSIDE_MAIL_IP 
access-list Outside_access_in remark Allow Https for Accellion Traffic
access-list Outside_access_in extended permit tcp any object Outside_Accellion_IP eq https 
access-list Outside_access_in remark sharepoint.morphotek.com traffic
access-list Outside_access_in extended permit tcp any object OUTSIDE_SHAREPOINT_IP eq https 
access-list Outside_access_in extended permit tcp any object OUTSIDE_MORPORTAL01_IP object-group Win911_Client_Port 
access-list Outside_access_in extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_8 object-group XMPP_Federation 
access-list Outside_access_in extended permit tcp any object DIAGDEV_PRIME_OUTSIDE_IP eq ssh 
access-list Outside_access_in remark Allow http/https traffic to Accellion
access-list Inside_nat0_outbound extended permit ip any 172.31.1.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 10.101.27.0 255.255.255.0 172.18.1.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip any 172.18.1.0 255.255.255.0 
access-list DMZ_nat0_outbound extended permit ip host 172.31.1.20 10.101.27.0 255.255.255.0 
access-list smtp extended permit tcp any host 64.212.42.53 object-group DM_INLINE_TCP_2 
access-list OutsidetoDMZ extended permit tcp any host 172.31.1.20 eq www 
access-list OutsidetoInside extended permit tcp any host 10.101.27.18 eq smtp 
access-list WSA extended permit ip host 10.101.27.10 any 
access-list WCCP_redirect extended permit tcp 10.101.27.0 255.255.255.0 any 
access-list WCCP_redirect extended permit tcp 10.101.130.0 255.255.255.0 any 
access-list WCCP_redirect extended permit tcp 10.101.128.0 255.255.255.0 any 
access-list WCCP_redirect extended permit object-group TCPUDP 10.101.131.0 255.255.255.0 any eq www 
access-list WCCP_redirect extended permit tcp 10.101.132.0 255.255.255.0 any 
access-list WCCP_redirect extended permit tcp 10.101.134.0 255.255.255.0 any 
access-list WCCP_redirect extended permit tcp 192.168.1.0 255.255.255.0 any 
access-list WCCP_redirect extended permit tcp host 192.168.0.226 any 
access-list WCCP_redirect extended permit tcp host 10.101.128.20 any 
access-list WCCP_redirect extended permit tcp host 192.168.6.7 any 
access-list WCCP_redirect extended permit tcp host 192.168.6.3 any 
access-list DMZ_nat_static extended permit ip host 172.31.1.23 host 64.212.42.61 
access-list Split_Tunnel_List remark Corporate Network
access-list Split_Tunnel_List standard permit 10.0.0.0 255.0.0.0 
access-list Split_Tunnel_List remark 215 BAS Network
access-list Split_Tunnel_List standard permit 192.168.253.0 255.255.255.0 
access-list Split_Tunnel_List remark 215 PAS Network
access-list Split_Tunnel_List standard permit 192.168.254.0 255.255.255.0 
access-list Split_Tunnel_List remark 215 Automation Network connection Between BAS and PAS
access-list Split_Tunnel_List standard permit 192.168.6.0 255.255.255.0 
access-list Split_Tunnel_List remark Access to 210 Lab Network
access-list Split_Tunnel_List standard permit 192.168.3.0 255.255.255.0 
access-list Split_Tunnel_List remark Access to 215 Lab Network
access-list Split_Tunnel_List standard permit 192.168.7.0 255.255.255.0 
access-list Split_Tunnel_List remark Access to Lefthand SANs
access-list Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0 
access-list Split_Tunnel_List remark Access to DiagDev Drobo Prime
access-list Split_Tunnel_List standard permit host 172.31.1.23 
access-list Split_Tunnel_List remark Access to DiagDev Drobo Backup
access-list Split_Tunnel_List standard permit host 172.31.1.24 
access-list Split_Tunnel_List remark Access to Edge Via VPN
access-list Split_Tunnel_List standard permit 192.168.102.0 255.255.255.0 
access-list Split_Tunnel_List remark Access to Edge Via VPN
access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0 
access-list Split_Tunnel_List remark Access to CDR Via VPN
access-list Split_Tunnel_List standard permit 129.80.8.0 255.255.252.0 
access-list Split_Tunnel_List remark Access to CDR Via VPN
access-list Split_Tunnel_List standard permit 129.80.40.0 255.255.252.0 
access-list Split_Tunnel_List remark Access to CDR Via VPN
access-list Split_Tunnel_List standard permit 129.80.88.0 255.255.248.0 
access-list global_mpc extended permit ip any any 
access-list Inside_access_in extended permit ip any any 
access-list JabberPhoneClient remark Access to Call Manager Publisher
access-list JabberPhoneClient standard permit host 10.101.128.10 
access-list JabberPhoneClient remark Access to Call Manager Subscriber
access-list JabberPhoneClient standard permit host 10.101.128.11 
access-list JabberPhoneClient remark Access to CUPS Servers
access-list JabberPhoneClient standard permit host 10.101.128.32 
access-list JabberPhoneClient remark Access to CUPS Servers
access-list JabberPhoneClient standard permit host 10.101.128.33 
access-list JabberPhoneClient remark Access to Unity Servers
access-list JabberPhoneClient standard permit host 10.101.128.22 
access-list JabberPhoneClient remark Access to Unity Servers
access-list JabberPhoneClient standard permit host 10.101.128.23 
access-list JabberPhoneClient remark Access to AD/DNS
access-list JabberPhoneClient standard permit host 10.101.27.24 
access-list JabberPhoneClient remark Access to AD/DNS
access-list JabberPhoneClient standard permit host 10.101.27.25 
access-list wccp_redirect extended permit tcp host 192.168.0.215 any 
access-list wccp_redirect extended permit tcp host 192.168.9.14 any 
access-list global_access remark citrix.morphotek.com traffic
access-list global_access extended permit object-group DM_INLINE_SERVICE_2 any object-group DM_INLINE_NETWORK_13 
access-list global_access remark mo-csg.morphotek.com traffic
access-list global_access extended permit tcp any object-group DM_INLINE_NETWORK_14 object-group DM_INLINE_TCP_6 
access-list global_access remark Allow email traffic In to morspam01
access-list global_access extended permit tcp any object-group DM_INLINE_NETWORK_15 eq smtp 
access-list global_access remark Allow Https for Accellion Traffic
access-list global_access extended permit tcp any object-group DM_INLINE_NETWORK_16 eq https 
access-list global_access remark sharepoint.morphotek.com traffic
access-list global_access extended permit tcp any object-group DM_INLINE_NETWORK_17 eq https 
access-list global_access extended permit tcp any object-group DM_INLINE_NETWORK_18 object-group Win911_Client_Port 
access-list global_access extended permit object-group TCPUDP any object-group DM_INLINE_NETWORK_19 object-group XMPP_Federation 
access-list global_access extended permit tcp any object-group DM_INLINE_NETWORK_20 eq ssh 
access-list global_access remark Allow HTTPS access for OWA/OMA
access-list global_access extended permit tcp any object-group DM_INLINE_NETWORK_21 eq https 

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-15-2015 01:18 AM

Hi,

To simplify the understanding on this issue , would you be able to post the packet tracer output for the host which is not working.

Add the "detailed" keyword at the end :)

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

0 Helpful

morphotek
Level 1
Level 1
In response to Vibhor Amrodia

‎04-15-2015 03:47 AM

Packet tracer is dropping the connection on the implicit deny rule

0 Helpful

morphotek
Level 1
Level 1

‎04-15-2015 05:15 AM

Updated information is that the issue is that its just dropping my VLANs outside of VLAN1 from getting to the firewall.  Do I need to define subinterfaces on the 5512x or can I just set the physical port into trunking mode?   I did not have to put the 5510 that this is replacing into trunk mode so it wasn't an issue

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card