ASA denying udp outbound even with implicit outbound rule

Unanswered Question
Aug 25th, 2008

I'm getting UDP traffic denied coming from the inside interface going outbound even though I have the implicit outbound rule in place. I've tried to specifically permit the udp traffic but it still gets denied. I'm sure there is something simple I'm missing but I need help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Aniket Rodrigues Mon, 08/25/2008 - 13:16

Can you get me the output of 'show run access-group' and show run access-li xxxxxxx

xxxxxx - name of access-list applied on the inside interface in "inbound" direction

If there is a deny log, paste that output too

Make sure there is a proper translation and route on the FW for the traffic being blocked

-AR

Farrukh Haroon Mon, 08/25/2008 - 18:26

Is 'nat-control' enabled? (show run nat-control).

What about the other NAT entries?

show run nat

show run global

Also check show run access-group to see what ACL is assigned to inside (IF any).

Regards

Farrukh

d.bisset Tue, 08/26/2008 - 09:33

I won't be able to get to the device to get the show commands until tomorrow, but I can tell you that I am not doing any Nat. I found some forums that indicated that I still needed to put in a nat statement that basically says I'm not doing any nat. Is that the case?

Farrukh Haroon Tue, 08/26/2008 - 12:21

Version 6.x yes you need to either NAT or exempt the traffic from NAT.

Version 7.x/8.x by default you don't need to do this, as in 'no nat-conrol'.

However you can turn on the 6.x behavior with 'nat-control'

Regards

Farrukh

Aniket Rodrigues Tue, 08/26/2008 - 18:35

If the ASA is facing the internet you would certainly need a translation unless it is vpn traffic or you are using a publicly usable address space on the inside.

Yes, with nat-control enabled (default in 6.x) the firewall will look for some kind of a translation for traffic flow from higher to lower security.

The logs should indicate if the packets are denied due to an access-list or missing translation.

You might also want to configure packet captures on the outside interface to see if packets hit the interface. Let me know if you need help here

HTH

-Aniket

Security PIX/ASA

d.bisset Wed, 08/27/2008 - 08:39

Thank you everyone for your help. Turns out that it was a routing issue. Everything else is working as designed.

Actions

This Discussion