Packet Tracer results

mnorwalk17 · ‎06-05-2018

How can I determine which Rule the drop is coming from? What does the ID value 0x73d6a600, represent? i can post config if necessary. i am trying to understand why our AD server (192.168.16.10) cannot ping our DB Server (192.168.80.59). The topology is AD Server - Front End FW - Switch - Back-end FW - Switch - DB Server. (BE-FW can ping both DB Server and AD Server) FE Server can ping BE-FW and AD Server.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.80.0 255.255.255.0 intf5

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73d6a600, priority=111, domain=permit, deny=true
hits=71991, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: intf5
input-status: up
input-line-status: up
output-interface: intf5
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

shimenoy · ‎06-05-2018

Hi :)

I think the cause is the same I/F between input and output.
> input-interface: intf5
> output-interface: intf5

It's similar to the following case.
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71342-intra-interface-communications.html#topic2

If you enable traffic between interfaces of the same security level with the "same-security-traffic permit inter-interface" command,
traffic to the same security level or low security level I/F is implicitly allowed.

HTH