Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2867
Views
0
Helpful
7
Replies

Inside Interface IP Phase 3 DROP Implicit Rule

stownsend
Level 2
Level 2

‎09-09-2015 11:36 AM

I'm trying to Save my Configs to TFTP Server that is on the other side of a VPN Tunnel. 

 

Packet Tracer from a LAN Device IP gets thought Fine. Though from the IP of the Inside Interface it gets Dropped.   I have the same-security-traffic commands in the Config, though that does not seem to be helping.   What else can I look for?  This ASA was a config from a 5505 8.3 upgraded to a 5506 9.1

 

These are in my Config:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

This is the Result of the packet-Tracer

Phase: 3

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f11c5bbc320, priority=500, domain=permit, deny=true
        hits=2, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=10.4.0.2, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Labels:
0 Helpful
7 Replies 7

pjain2
Cisco Employee
Cisco Employee

‎09-10-2015 12:00 AM

packet tracer with the source ip as the ASA's inside interface ip will show drop and is expected.

however, to test the traffic across the vpn, you can directly do a ping sourcing from the inside interface:

ping inside <destination ip>

please make sure that you have management-access enable don the inside interface

0 Helpful

stownsend
Level 2
Level 2
In response to pjain2

‎09-10-2015 09:22 AM

At remote site B (IOS 8.3(2)) I can Issue:

packet-tracer in out tcp 10.11.0.1  2340 10.1.1.160 80 detail

 

Where 10.11.0.1 is the Inside Interface of the ASA and 10.1.1.160 is a Webserver across the VPN. 

I get back up to Phase 8 and its allowed. 

 

I do the same thing from the new remote site IOS 9.1(5) and I get the DROP at phase 3. 

 

The main reason I'm looking to do this is that I need to have the ASA Access the TFTP server to Save its configs. The 'write net' command is timing out.   I can hit the TFTP server from other devices on the remote LAN, so its not a VPN  connectivity issue.  

 

I also have 'management-access inside' in the config. 

I also have 'telnet NETWORK-HBG 255.255.255.0 inside' where NETWORK-HBG is the Management network on the other end of the VPN and I cannot Telnet to the ASA. This is also working at the other remote sites running 8.3.2. 

 

Thanks!

 

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to stownsend

‎09-10-2015 10:20 AM

packet-tracer in out tcp 10.11.0.1  2340 10.1.1.160 80 detail

 

please try with the source interface as inside and try the packet tracer again

0 Helpful

stownsend
Level 2
Level 2
In response to pjain2

‎09-10-2015 10:43 AM

On the Remote B ASA 8.3(2) 

   packet-tracer in out tcp 10.11.0.1  80 10.1.1.160 80 de

I get though no issues, I can hit the TFTP server and Telnet from a 10.1.x.x to the 10.11.0.1

  packet-tracer in in tcp 10.11.0.1  80 10.1.1.160 80 de

This Dies at Phase 2

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xc9d73308, priority=500, domain=permit, deny=true
    hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=10.11.0.1, mask=255.255.255.255, port=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    input_ifc=inside, output_ifc=any

On Remote A 9.1(5)

   packet-tracer in out tcp 10.4.0.1  80 10.1.1.160 80 de

Dies at Phase 3

  packet-tracer in in tcp 10.4.0.1  80 10.1.1.160 80 de

Whoa! It works now? 

Though Remote A site I still Cannot Telnet to and I cannot Save the TFTP Config 

This works on Remote B

tftp-server inside 10.1.0.12 olivetasa.2015.0910.01.cfg

This does not work on Remote A

tftp-server inside 10.1.0.12 irvineasa.2015.0910.01.cfg

 

 

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to stownsend

‎09-10-2015 11:00 AM

please send the output of show run sysopt from site A

0 Helpful

stownsend
Level 2
Level 2
In response to pjain2

‎09-10-2015 11:25 AM

Thank you for your Reply,

 

Site A

sysopt noproxyarp outside
sysopt noproxyarp inside

 

Site B

(nothing)

 

What is the Command to show the Running 'Default' Commands?

 

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to stownsend

‎09-10-2015 07:19 PM

instead of the inside interface ip address, can you do the following:

packet inp inside tcp 10.11.0.2  1234 10.1.1.160 80 det

 

the packet-tracer output from out to in will drop if you do not have that traffic permitted in the outside interface access-list; but when the actual traffic comes through vpn into the ASA, sicne we have sysopt connection permit-vpn configured, the ASA's outside interface access-list is bypassed.

so if you just want to check the packet-tracer output, please allow the traffic explicitly for testing on the outside interface access-list

 

to see the default running config commands:

eg. sh run all crypto

show run all ssl

 

0 Helpful
Customers Also Viewed These Support Documents