08-25-2008 12:51 PM - edited 03-11-2019 06:35 AM
I'm getting UDP traffic denied coming from the inside interface going outbound even though I have the implicit outbound rule in place. I've tried to specifically permit the udp traffic but it still gets denied. I'm sure there is something simple I'm missing but I need help.
08-25-2008 01:16 PM
Can you get me the output of 'show run access-group' and show run access-li xxxxxxx
xxxxxx - name of access-list applied on the inside interface in "inbound" direction
If there is a deny log, paste that output too
Make sure there is a proper translation and route on the FW for the traffic being blocked
-AR
08-25-2008 06:26 PM
Is 'nat-control' enabled? (show run nat-control).
What about the other NAT entries?
show run nat
show run global
Also check show run access-group to see what ACL is assigned to inside (IF any).
Regards
Farrukh
08-26-2008 09:33 AM
I won't be able to get to the device to get the show commands until tomorrow, but I can tell you that I am not doing any Nat. I found some forums that indicated that I still needed to put in a nat statement that basically says I'm not doing any nat. Is that the case?
08-26-2008 12:21 PM
Version 6.x yes you need to either NAT or exempt the traffic from NAT.
Version 7.x/8.x by default you don't need to do this, as in 'no nat-conrol'.
However you can turn on the 6.x behavior with 'nat-control'
Regards
Farrukh
08-26-2008 06:35 PM
If the ASA is facing the internet you would certainly need a translation unless it is vpn traffic or you are using a publicly usable address space on the inside.
Yes, with nat-control enabled (default in 6.x) the firewall will look for some kind of a translation for traffic flow from higher to lower security.
The logs should indicate if the packets are denied due to an access-list or missing translation.
You might also want to configure packet captures on the outside interface to see if packets hit the interface. Let me know if you need help here
HTH
-Aniket
Security PIX/ASA
08-27-2008 08:39 AM
Thank you everyone for your help. Turns out that it was a routing issue. Everything else is working as designed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: