12-23-2015 10:09 PM - edited 03-05-2019 03:00 AM
HI My Test ASA is dropping traffic coming via internet . ASA do not have any ACL configured on any interface but packet tracer showing it is dropping by ACL implicit Rule. Can someone let me know how its dropping and what is solution on it. (ASA config as attached)
TESTASAVPN-01# packet-tracer input OUTSIDE tcp 2.2.2.2 1024 10.0.1.20 443 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.1.0 255.255.255.0 DMZ
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xbbcf4408, priority=111, domain=permit, deny=true
hits=2, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=OUTSIDE
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
12-24-2015 03:57 AM
When I first read your post I assumed that this was going to be a simple issue of denying traffic from an interface with lower security level going to an interface with higher security level. But then I looked at the config and see that both interfaces are set for security level of 0. (I think that DMZ with security level of 0 is odd, but if that is what you want then we can make it work.)
What you need for this to work is to use same-security-traffic permit inter-interface
HTH
Rick
12-24-2015 03:57 AM
When I first read your post I assumed that this was going to be a simple issue of denying traffic from an interface with lower security level going to an interface with higher security level. But then I looked at the config and see that both interfaces are set for security level of 0. (I think that DMZ with security level of 0 is odd, but if that is what you want then we can make it work.)
What you need for this to work is to use same-security-traffic permit inter-interface
HTH
Rick
12-24-2015 06:27 PM
Thanks Richards,
Its worked but I have assigned security level 100 on outside (internet facing) interface so it will worked for all.
12-26-2015 08:45 AM
I am glad that it now works and that my suggestion was helpful. It is not particularly important whether the interfaces are security level 0 or 100 or any other value. What is important is that when security levels are the same then you need to have the parameter same-security-traffic.
If this is working and meets your needs then it is good. But I would point out one thing to consider. By having the outside interface with same security level as inside you have disabled one basic feature of the ASA. By default the ASA does allow any device inside to initiate traffic to outside (and to receive responses from outside) but does not allow devices outside to initiate traffic to inside. Making security levels the same disables this and does allow any device outside to initiate traffic to inside. If this is your intent then we have a good solution to the configuration. If that is not your intent then you need to consider a different approach to configuring your ASA.
HTH
Rick
12-24-2015 01:02 PM
Hi Pawan,
As Richard mentioned the solution for your problem. I just add some comments to clarify the situation. You don't configure any ACL but by default ACL are there which can be seen in ASDM only. That hidden ACL is dropping your traffic.
Regards,
Kazim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide