Solved: Cisco acl

lakhwaraa · ‎12-06-2022

Dec 6 11:23:21.642: %FW-6-DROP_PKT: Dropping udp session 172.20.34.14:55599 8.8.8.8:53 on zone-pair inside-to-vpn class class-default due to DROP action found in policy-map with ip ident 0
*Dec 6 11:24:06.219: %FW-6-LOG_SUMMARY: 1 packet were dropped from 172.20.34.14:55599 => 8.8.8.8:53 (target:class)-(inside-to-vpn:class-default)
*Dec 6 11:24:11.043: %FW-6-DROP_PKT: Dropping udp session 172.20.34.12:50406 1.1.1.1:53 on zone-pair inside-to-vpn class class-default due to DROP action found in policy-map with ip ident 0

*Dec 6 11:24:46.528: %FW-6-DROP_PKT: Dropping udp session 172.20.34.14:59608 8.8.8.8:53 on zone-pair inside-to-vpn class class-default due to DROP action found in policy-map with ip ident 0
*Dec 6 11:24:56.808: %SYS-5-CONFIG_I: Configured from console by imran on vty0 (172.20.17.43)
*Dec 6 11:25:06.152: %FW-6-LOG_SUMMARY: 1 packet were dropped from 172.20.34.12:50406 => 1.1.1.1:53 (target:class)-(inside-to-vpn:class-default)
*Dec 6 11:25:06.152: %FW-6-LOG_SUMMARY: 1 packet were dropped from 172.20.34.12:59718 => 8.8.8.8:53 (target:class)-(inside-to-vpn:class-default)
*Dec 6 11:25:06.152: %FW-6-LOG_SUMMARY: 1 packet were dropped from 172.20.34.12:59719 => 9.9.9.9:53 (target:class)-(inside-to-vpn:class-default)

i have following conf

ip name-server 9.9.9.9

zone security inside
zone security outside
zone security vpn
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect Policy-inside-to-outside
zone-pair security inside-to-vpn source inside destination vpn
service-policy type inspect Policy-inside-to-vpn
zone-pair security vpn-to-inside source vpn destination inside
service-policy type inspect Policy-vpn-to-inside
zone-pair security outside-to-inside source outside destination inside

interface FastEthernet8
ip address 192.168.8.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!

interface Vlan1
ip address 172.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
ip tcp adjust-mss 1452

ip route 0.0.0.0 0.0.0.0 192.168.8.1

ip access-list extended ACL-INSIDE-TO-OUTSIDE
permit tcp any any eq 888
permit icmp any any
deny ip any any
ip access-list extended ACL-INSIDE-TO-VPN
permit ip any host 172.20.49.71
permit ip any host 10.20.11.2
deny udp any any eq domain
permit ip any any
ip access-list extended ACL-VPN-TO-INSIDE
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.20.49.0 0.0.0.255 any
permit ip 10.20.11.0 0.0.0.255 any
ip access-list extended ACL-outside-TO-self
permit ip any any
permit udp any any
permit tcp any any eq 22
ip access-list extended ACL-self-TO-outside
permit ip any any
permit gre any any
permit icmp any any
ip access-list extended NAT
permit ip 172.20.34.0 0.0.0.255 any

why i am unable to surf internet. why my packets are being dropped. I have same configuration on second router and it is working fine. anybody help

balaji.bandi · ‎12-06-2022

high level you have NAT ACL :

ip access-list extended NAT
permit ip 172.20.34.0 0.0.0.255 any

but i do not see NAT statement :

example :

ip nat inside source list NAT  interface XXXXX overload

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

MHM Cisco World · ‎12-06-2022

ip access-list extended ACL-self-TO-outside <<- this meaning you not use default behave of self Zone,
can you share the config of policy-map you use for self ?

lakhwaraa · ‎12-10-2022

ip access-list extended ACL-outside-TO-self
permit ip any any
permit udp any any

ip access-list extended ACL-self-TO-outside
permit ip any any
permit gre any any
permit icmp any any

balaji.bandi · ‎12-06-2022