ASA 5520 implicit deny

bws · ‎12-09-2007

i am having issue to with ASA. I am getting the below error when i do packet trace. Please see my config also below.

packet-tracer input inside udp 172.16.21.14 radius 10.50.1.9 radius$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.50.0.0 255.255.0.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3f76d88, priority=500, domain=permit, deny=true

hits=23, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=172.16.21.14, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

running config attached

how can i fix this?

husycisco · ‎12-10-2007

try adding this

nat (inside) 0 10.50.0.0 255.255.0.0

john.dowson · ‎12-10-2007

Packet Tracer won't be much use to you as, according to your config, 10.50.0.0/16 is behind 172.16.21.1 i.e. on the inside of the ASA.

The RADIUS traffic will be sent from the Inside interface to 10.50.1.9. You might want to try using captures and 'debug radius' commands to see where its failing.

John