Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
1
Replies

Remote access VPN to access ASA via ASDM and SSH denied by implicit deny rule

antonioyan99
Level 1
Level 1

‎05-17-2019 10:28 AM - edited ‎02-21-2020 09:39 PM

Hi Cisco Security Guru,

 

I am trying to allow remote anyconnect VPN users to access ASA via SSH/ASDM, however it fails, denied by implicit rule:

 

VPN IP Pool: 192.168.200.0/24,   Internal interface: Vlan4015: 172.16.0.1/29

 

<necessary config>

management-access vlan4015

http 192.168.200.0 255.255.255.0 outside

ssh 192.168.200.0 255.255.255.0 outside

 

Access-list:

access-list outside_access_in extended permit ip object Network_192.168.200_24 object NETWORK_172.16.0.0_29
access-list outside_access_in extended deny ip any any log debugging


The NAT is configured as below:

nat (outside,vlan4015) source static Network_192.168.200_24 Network_192.168.200_24 destination static NETWORK_172.16.0.0_29 NETWORK_172.16.0.0_29 no-proxy-arp


Packet trace result:

 

FPR2140# packet-tracer input outside tcp 192.168.200.102 55200 172.16.0.1 ssh detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,vlan4015) source static Network_192.168.200_24 Network_192.168.200_24 destination static NETWORK_172.16.0.0_29 NETWORK_172.16.0.0_29 no-proxy-arp
Additional Information:
NAT divert to egress interface vlan4015
Untranslate 172.16.0.1/22 to 172.16.0.1/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object Network_192.168.200_24 object NETWORK_172.16.0.0_29
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffa440fb90, priority=13, domain=permit, deny=false
hits=9, user_data=0xff84a22900, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.200.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.0.0, mask=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,vlan4015) source static Network_192.168.200_24 Network_192.168.200_24 destination static NETWORK_172.16.0.0_29 NETWORK_172.16.0.0_29 no-proxy-arp
Additional Information:
Static translate 192.168.200.102/55200 to 192.168.200.102/55200
Forward Flow based lookup yields rule:
in id=0xffb4007410, priority=6, domain=nat, deny=false
hits=1, user_data=0xffb414fd70, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.200.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.0.0, mask=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=vlan4015

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff69337dd0, priority=0, domain=nat-per-session, deny=false
hits=118682, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffbc67ed30, priority=0, domain=inspect-ip-options, deny=true
hits=1057723, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffbc673ad0, priority=20, domain=lu, deny=false
hits=10649, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,vlan4015) source static Network_192.168.200_24 Network_192.168.200_24 destination static NETWORK_172.16.0.0_29 NETWORK_172.16.0.0_29 no-proxy-arp
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffb41ba720, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0xffb41b6190, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.200.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.0.0, mask=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=vlan4015

Phase: 8
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffd4ae4b70, priority=501, domain=permit, deny=true
hits=27, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=172.16.0.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=vlan4015, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: vlan4015
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

From the packet trace I can see the packet was allowed by ACL at phase 2, then NAT is correct, but however it is dropped by the implicit deny ACL at phase 8.

Can someone explain why and how to fix this?

 

thanks a lot

 

Antonio

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎05-17-2019 12:23 PM

Try this:

 

http 192.168.200.0 255.255.255.0 Vlan4015

ssh 192.168.200.0 255.255.255.0 Vlan4015

0 Helpful
Customers Also Viewed These Support Documents