cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
744
Views
0
Helpful
6
Replies

ASA denying udp outbound even with implicit outbound rule

d.bisset
Level 1
Level 1

I'm getting UDP traffic denied coming from the inside interface going outbound even though I have the implicit outbound rule in place. I've tried to specifically permit the udp traffic but it still gets denied. I'm sure there is something simple I'm missing but I need help.

6 Replies 6

Can you get me the output of 'show run access-group' and show run access-li xxxxxxx

xxxxxx - name of access-list applied on the inside interface in "inbound" direction

If there is a deny log, paste that output too

Make sure there is a proper translation and route on the FW for the traffic being blocked

-AR

Farrukh Haroon
VIP Alumni
VIP Alumni

Is 'nat-control' enabled? (show run nat-control).

What about the other NAT entries?

show run nat

show run global

Also check show run access-group to see what ACL is assigned to inside (IF any).

Regards

Farrukh

I won't be able to get to the device to get the show commands until tomorrow, but I can tell you that I am not doing any Nat. I found some forums that indicated that I still needed to put in a nat statement that basically says I'm not doing any nat. Is that the case?

Version 6.x yes you need to either NAT or exempt the traffic from NAT.

Version 7.x/8.x by default you don't need to do this, as in 'no nat-conrol'.

However you can turn on the 6.x behavior with 'nat-control'

Regards

Farrukh

If the ASA is facing the internet you would certainly need a translation unless it is vpn traffic or you are using a publicly usable address space on the inside.

Yes, with nat-control enabled (default in 6.x) the firewall will look for some kind of a translation for traffic flow from higher to lower security.

The logs should indicate if the packets are denied due to an access-list or missing translation.

You might also want to configure packet captures on the outside interface to see if packets hit the interface. Let me know if you need help here

HTH

-Aniket

Security PIX/ASA

Thank you everyone for your help. Turns out that it was a routing issue. Everything else is working as designed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: