03-07-2008 08:06 AM - edited 03-11-2019 05:13 AM
My ASA 5510 is intermittently denying access form my ISP's mail server to our internal SMTP gatway.
The acl applied to the outside interface of the firewall allows tcp any any to the smtp server on port 25. There is no access-list applied to inside interface. A packet trace yeilds the following result.
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 193.201.254.66 128.1.100.199 netmask 255.255.255.255
nat-control
match ip inside host 128.1.100.199 outside any
static translation to 193.201.254.66
translate_hits = 1584262, untranslate_hits = 7749710
Additional Information:
NAT divert to egress interface inside
Untranslate 193.201.254.66/0 to 128.1.100.199/0 using netmask 255.255.255.255
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x47de0a0, priority=11, domain=permit, deny=true
hits=7928006, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The packet is being dropped by an implicit rule? Any ideas.
03-07-2008 08:21 AM
Could you post your acl?
It should be...
access-list name extended permit tcp any host 193.201.254.66 eq 25
03-07-2008 08:40 AM
access-list outside_acl extended permit tcp any host 193.201.254.66 eq smtp
access-list outside_acl extended permit tcp any object-group web-servers object-group web-ports-tcp
access-list outside_acl extended permit tcp any object-group dmz-servers eq www
03-07-2008 04:01 PM
It seems your routing is not correct for the destination network:
Result:
input-interface: outside
output-interface: outside
03-11-2008 01:51 PM
What version are you running? I'm getting the exact output your getting with a trace - looks like my issue could be related to bug ID CSCsj31537 however.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: