cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
323
Views
0
Helpful
0
Replies

ASA ver 8.2 (acl-drop) Flow is denied by configured rule | LAN can't access Internet

mgalend01
Beginner
Beginner

I was just handed this issue.  The config looks correct and the inside network can ping the firewall and the firewall can ping the internet but the LAN can not access anything out of the Firewall.

Am I missing something??

ASA Version 8.2(5)
!
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!

              
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any host X.X.X.X eq 81
access-list outside_in extended permit tcp any host X.X.X.X eq 8000
access-list outside_in extended permit tcp any host X.X.X.X eq 10554
access-list outside_in extended permit tcp any host X.X.X.X eq 82
access-list outside_in extended permit tcp any host X.X.X.X eq 8100
access-list outside_in extended permit tcp any host X.X.X.X eq 10555
pager lines 24
logging asdm informational

              
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 81 192.168.20.35 81 netmask 255.255.255.255
static (inside,outside) tcp interface 8000 192.168.20.35 8000 netmask 255.255.255.255
static (inside,outside) tcp interface 10554 192.168.20.35 10554 netmask 255.255.255.255
static (inside,outside) tcp interface 82 192.168.20.36 82 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.20.36 8100 netmask 255.255.255.255
static (inside,outside) tcp interface 10555 192.168.20.36 10555 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL

              
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd dns 192.168.0.12 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.20.225-192.168.20.240 inside
dhcpd enable inside

              
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp

              
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
  inspect ipsec-pass-thru
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


(config)# pack input outside icmp X.X.X.X  0 0 192.168.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.20.0    255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc95f43a8, priority=500, domain=permit, deny=true
        hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=X.X.X.X, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: