Solved: Thanks Richards,

raut.pawan · ‎12-23-2015

HI My Test ASA is dropping traffic coming via internet . ASA do not have any ACL configured on any interface but packet tracer showing it is dropping by ACL implicit Rule. Can someone let me know how its dropping and what is solution on it. (ASA config as attached)

TESTASAVPN-01# packet-tracer input OUTSIDE tcp 2.2.2.2 1024 10.0.1.20 443 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.1.0 255.255.255.0 DMZ

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbbcf4408, priority=111, domain=permit, deny=true
hits=2, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=OUTSIDE

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Richard Burts · ‎12-24-2015

When I first read your post I assumed that this was going to be a simple issue of denying traffic from an interface with lower security level going to an interface with higher security level. But then I looked at the config and see that both interfaces are set for security level of 0. (I think that DMZ with security level of 0 is odd, but if that is what you want then we can make it work.)

What you need for this to work is to use same-security-traffic permit inter-interface

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎12-24-2015

When I first read your post I assumed that this was going to be a simple issue of denying traffic from an interface with lower security level going to an interface with higher security level. But then I looked at the config and see that both interfaces are set for security level of 0. (I think that DMZ with security level of 0 is odd, but if that is what you want then we can make it work.)

What you need for this to work is to use same-security-traffic permit inter-interface

HTH

Rick

HTH

Rick

raut.pawan · ‎12-24-2015

Thanks Richards,

Its worked but I have assigned security level 100 on outside (internet facing) interface so it will worked for all.

Richard Burts · ‎12-26-2015

I am glad that it now works and that my suggestion was helpful. It is not particularly important whether the interfaces are security level 0 or 100 or any other value. What is important is that when security levels are the same then you need to have the parameter same-security-traffic.

If this is working and meets your needs then it is good. But I would point out one thing to consider. By having the outside interface with same security level as inside you have disabled one basic feature of the ASA. By default the ASA does allow any device inside to initiate traffic to outside (and to receive responses from outside) but does not allow devices outside to initiate traffic to inside. Making security levels the same disables this and does allow any device outside to initiate traffic to inside. If this is your intent then we have a good solution to the configuration. If that is not your intent then you need to consider a different approach to configuring your ASA.

HTH

Rick

HTH

Rick

syed kazim abbas · ‎12-24-2015

Hi Pawan,

As Richard mentioned the solution for your problem. I just add some comments to clarify the situation. You don't configure any ACL but by default ACL are there which can be seen in ASDM only. That hidden ACL is dropping your traffic.

Regards,

Kazim

ASA dropping traffic have no ACL configured.