Please help with my asa 5540 configuration

Unanswered Question
Sep 7th, 2009
User Badges:

ciscoasa# packet-tracer input dmz3 icmp 17.50.1.21 0 8 172.20.1.53 det


Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow


Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,dmz3) 172.20.1.0 172.20.1.0 netmask 255.255.255.0

nat-control

match ip inside 172.20.1.0 255.255.255.0 dmz3 any

static translation to 172.20.1.0

translate_hits = 2, untranslate_hits = 1816

Additional Information:

NAT divert to egress interface inside

Untranslate 172.20.1.0/0 to 172.20.1.0/0 using netmask 255.255.255.0


Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac2bd1b0, priority=0, domain=permit, deny=true

hits=1827, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0


Result:

input-interface: dmz3

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


what this error mean? i dont know

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Mon, 09/07/2009 - 06:18
User Badges:
  • Cisco Employee,

Drop-reason: (acl-drop) Flow is denied by configured rule

The above means that the ACL applied on the DMZ3 interface is not allowing this traffic.


icmp type 0 - echo reply

icmp code 8 - Source Host Isolated


You can verify the above here:

http://www.honeypots.net/misc/icmp-types


Pls. try the following:

packet-tracer input dmz3 icmp 17.50.1.21 8 0 172.20.1.53 det



Actions

This Discussion