Please help with my asa 5540 configuration

Unanswered Question
Sep 7th, 2009

ciscoasa# packet-tracer input dmz3 icmp 17.50.1.21 0 8 172.20.1.53 det

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,dmz3) 172.20.1.0 172.20.1.0 netmask 255.255.255.0

nat-control

match ip inside 172.20.1.0 255.255.255.0 dmz3 any

static translation to 172.20.1.0

translate_hits = 2, untranslate_hits = 1816

Additional Information:

NAT divert to egress interface inside

Untranslate 172.20.1.0/0 to 172.20.1.0/0 using netmask 255.255.255.0

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac2bd1b0, priority=0, domain=permit, deny=true

hits=1827, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: dmz3

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

what this error mean? i dont know

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Mon, 09/07/2009 - 06:18

Drop-reason: (acl-drop) Flow is denied by configured rule

The above means that the ACL applied on the DMZ3 interface is not allowing this traffic.

icmp type 0 - echo reply

icmp code 8 - Source Host Isolated

You can verify the above here:

http://www.honeypots.net/misc/icmp-types

Pls. try the following:

packet-tracer input dmz3 icmp 17.50.1.21 8 0 172.20.1.53 det

Actions

This Discussion