Hi,

Thank you for the answer!

The ASA versione is 9.1(5) ASDM 7.1(6)

The host is 192.168.11.254, not 192.168.11.54 (sorry my mistake).

This is the output:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9dfc8, priority=1, domain=permit, deny=false
hits=166471376, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in MY_EXTERNAL_IP 255.255.255.255 identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=6388618, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x 0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9ec08, priority=0, domain=permit, deny=true
hits=109852, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, prot ocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Why asa said "flow is denied by configured rule" on phase 4?

Thanks!

In this version, the NAT should hit first than the ACL and I am not seeing it is hitting it.

Please share with me the show run nat and show run access-group outputs.

ASA# show run nat
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.31.254.128_25 NETWORK_OBJ_172.31.254.128_25 no-proxy-arp route-lookup
nat (inside,outside) source static Inside Inside destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 no-proxy-arp
nat (inside,outside) source dynamic inside-networkNEW interface
nat (inside,outsidebackup) source static inside-networkNEW inside-networkNEW destination static remote-networkNEW remote-networkNEW
nat (inside,outsideBackup) source dynamic inside-networkNEW interface
nat (inside,outsideBackup) source static any any destination static NETWORK_OBJ_172.31.254.128_25 NETWORK_OBJ_172.31.254.128_25 no-proxy-arp route-lookup
!
object network Inside
nat (inside,outside) dynamic interface
object network drytek
nat (inside,outsideBackup) static 172.31.254.253
object network Rete_HD
nat (inside,outside) dynamic interface
object network RETE_172.16.0.0
nat (inside,outside) dynamic interface
object network Guest_Client
nat (GUEST,outside) dynamic interface
object network Viostor
nat (inside,outside) static interface service tcp www 55055

ASA# show run access-group
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outsidebackup_access_in in interface outsideBackup
access-group GUEST_access_in in interface GUEST

Hi;

Your issue is that ACL is dropping your packet it’s also verified via packet tracer:

You need to modify the ACL and allow the outside users to hit on your public IP on port 55055.

access-list outside_access_in line 9 extended permit tcp any host <EXTERNAL_IP> eq 55055

As a Packet Flow through an ASA Firewall it always checks ACL first then go for NAT statement.

Thanks & Best regards;

Nope..

Same issue..

Hi;

Either modify the existing Line 9 or insert a new line that allow users to access your external_ip on port 55055.

Thanks & Best regards;

Nope..

Same issue..

ASA# packet-tracer input outside tcp 8.8.8.8 1025 MY_EXTERNAL_IP 55055 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbe9dfc8, priority=1, domain=permit, deny=false
hits=239250585, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
NAT divert to egress interface inside
Untranslate MY_EXTERNAL_IP/55055 to 192.168.11.54/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_2
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object gre
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_2
network-object 192.168.0.0 255.255.0.0
network-object object Rete_HD
network-object object RETE_172.16.0.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbfa2790, priority=13, domain=permit, deny=false
hits=0, user_data=0xc9e5c4a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.0.0, mask=255.255.0.0, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
Static translate 8.8.8.8/1025 to 8.8.8.8/1025
Forward Flow based lookup yields rule:
in id=0xcd7918c0, priority=6, domain=nat, deny=false
hits=0, user_data=0xcd792200, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=MY_EXTERNAL_IP, mask=255.255.255.255, port=55055, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=9393297, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbea3c10, priority=0, domain=inspect-ip-options, deny=true
hits=11281329, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd8aeda8, priority=70, domain=inspect-http, deny=false
hits=1408694, user_data=0xcd8ad6a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc87ca40, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=136477, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Viostor interface service www 55055
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcd782960, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xcd792148, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.11.54, mask=255.255.255.255, port=80, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcef66280, priority=0, domain=user-statistics, deny=false
hits=11182223, user_data=0xcddb8bb8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=inside

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcb778620, priority=0, domain=nat-per-session, deny=false
hits=9393299, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcbe7a1f0, priority=0, domain=inspect-ip-options, deny=true
hits=11190843, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xcef66cd8, priority=0, domain=user-statistics, deny=false
hits=11258692, user_data=0xcddb8bb8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11587603, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Great! so now results are different and traffic is allowed. Could you please confirm this with real traffic?

Finally, if you think this issue has been solved, please mark useful answers.

Thanks! :)

Thanks but still not working.

Same issue: The ASA does not have UDP server that services the UDP request

Very sad...

Hi,

Now there is a little bit confusion. One side you are asking about traffic to allow from external IP tcp port 55055 which traffic is allowed (packet tracer output) & second side your traffic is denied due to udp server to services udp request.

Can you ask your application team and get more detail information about your application behavior?

Thanks & Best regards

I agree with Ahmed, is this UDP or TCP traffic? it is not the same. Packet-tracer was used to serve TCP traffic, not UDP.

Now, if you are not sure of this...

1. Place a capture on the outside interface:

capture outside interface outside match tcp any host [Outside interface IP] eq 55055 match udp any host [Outside interface IP] eq 55055

  2. Read the captures and copy the output to paste the results here.

show capture outside