ASA 5505 Port forwarding problem - packet dropped by implicit rule

Unanswered Question
Feb 9th, 2010

I am trying to forward tcp port 1042 from the outside port to the telnet port of a host on my inside network. The problem is that all packets are being denied by the implicit deny rule on the outside interface. I know that the access-list that I configured is correct since I can see the hit count increase each time I run a test. My config is below. Any ideas?

ASA Version 8.2(2)
name unix
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
regex myspace "\.myspace\.com"
regex facebook "\.facebook\.com"
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone AST -4
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp
description rdp
port-object eq 3389
object-group service UsecRA tcp
port-object eq 1084
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
access-list acl_out remark Deny LAN access to TCP port 25
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
access-list MBMVPNGroup_splitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip
access-list outside_access_in extended permit tcp any interface outside eq 1042
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool MBMRemoteClients mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface 1042 unix telnet netmask
access-group acl_out in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http outside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 2
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh inside
ssh outside
ssh timeout 15
ssh version 2
console timeout 0
dhcpd auto_config outside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-lock value DefaultRAGroup
group-policy MBMVPNGroup internal
group-policy MBMVPNGroup attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MBMVPNGroup_splitTunnelAcl
username admin password 5CgFaFZAIakurFO6 encrypted privilege 15
username nayen password .KChTBBfdQCjEbzi encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group MBMVPNGroup type remote-access
tunnel-group MBMVPNGroup general-attributes
address-pool MBMRemoteClients
default-group-policy MBMVPNGroup
tunnel-group MBMVPNGroup ipsec-attributes
pre-shared-key *****
class-map type regex match-any DomainBlockList
match regex myspace
class-map type inspect http match-all BlockDomainClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
class-map httptraffic
match access-list inside_mpc
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map type inspect im impolicy
match protocol msn-im yahoo-im
policy-map type inspect http http_inspection_policy
  protocol-violation action drop-connection
match request method connect
  drop-connection log
class BlockDomainClass
  reset log
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ip-options
policy-map type inspect http P2P_HTTP
match request uri regex _default_gator
  drop-connection log
match request uri regex _default_x-kazaa-network
  drop-connection log
policy-map IM_P2P
class imblock
  inspect im impolicy
class P2P
  inspect http P2P_HTTP
policy-map inside-policy
class httptraffic
  police input 500000 1024000
  police output 500000 1024000
  inspect http P2P_HTTP
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
profile CiscoTAC-1
  no active
  destination address http
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 02/09/2010 - 09:27

You can not get a hit count on an ACL permitting the traffic and then get denied by the implicit deny at the end. How are you seeing the denied traffic? Can you post some of the info from your log?

nigelayen Tue, 02/09/2010 - 09:38

I test with the following command from a public host:

telnet 1042

From the ASA 5505, issue the following command:

sh access-list

access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any interface outside eq 1042 (hitcnt=1) 0x05a92990

The hitcnt value increases each time I test.

The packet-trace output:

MBM5505ASA(config)# packet-trace input outside tcp 1042 telnet detailed

Phase: 1
Result: ALLOW
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Subtype: input
Result: ALLOW
Additional Information:
in   inside

Phase: 3
Result: DROP
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd7de3218, priority=500, domain=permit, deny=true
        hits=27, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=, mask=, port=0
        dst ip=, mask=, port=0, dscp=0x0

input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Luis Silva Benavides Mon, 05/24/2010 - 10:04

Please try this packet-tracer, now it should be allow.

MBM5505ASA(config)# packet-trace input outside tcp 1025 1042 detail



This Discussion

Related Content