ASA denying udp outbound even with implicit outbound rule

Unanswered Question
Aug 25th, 2008
User Badges:

I'm getting UDP traffic denied coming from the inside interface going outbound even though I have the implicit outbound rule in place. I've tried to specifically permit the udp traffic but it still gets denied. I'm sure there is something simple I'm missing but I need help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Aniket Rodrigues Mon, 08/25/2008 - 13:16
User Badges:
  • Cisco Employee,

Can you get me the output of 'show run access-group' and show run access-li xxxxxxx

xxxxxx - name of access-list applied on the inside interface in "inbound" direction

If there is a deny log, paste that output too

Make sure there is a proper translation and route on the FW for the traffic being blocked


Farrukh Haroon Mon, 08/25/2008 - 18:26
User Badges:
  • Red, 2250 points or more

Is 'nat-control' enabled? (show run nat-control).

What about the other NAT entries?

show run nat

show run global

Also check show run access-group to see what ACL is assigned to inside (IF any).



d.bisset Tue, 08/26/2008 - 09:33
User Badges:

I won't be able to get to the device to get the show commands until tomorrow, but I can tell you that I am not doing any Nat. I found some forums that indicated that I still needed to put in a nat statement that basically says I'm not doing any nat. Is that the case?

Farrukh Haroon Tue, 08/26/2008 - 12:21
User Badges:
  • Red, 2250 points or more

Version 6.x yes you need to either NAT or exempt the traffic from NAT.

Version 7.x/8.x by default you don't need to do this, as in 'no nat-conrol'.

However you can turn on the 6.x behavior with 'nat-control'



Aniket Rodrigues Tue, 08/26/2008 - 18:35
User Badges:
  • Cisco Employee,

If the ASA is facing the internet you would certainly need a translation unless it is vpn traffic or you are using a publicly usable address space on the inside.

Yes, with nat-control enabled (default in 6.x) the firewall will look for some kind of a translation for traffic flow from higher to lower security.

The logs should indicate if the packets are denied due to an access-list or missing translation.

You might also want to configure packet captures on the outside interface to see if packets hit the interface. Let me know if you need help here



Security PIX/ASA

d.bisset Wed, 08/27/2008 - 08:39
User Badges:

Thank you everyone for your help. Turns out that it was a routing issue. Everything else is working as designed.


This Discussion