ASA 5505 Port forwarding problem - packet dropped by implicit rule

nigelayen · ‎02-09-2010

I am trying to forward tcp port 1042 from the outside port to the telnet port of a host on my inside network. The problem is that all packets are being denied by the implicit deny rule on the outside interface. I know that the access-list that I configured is correct since I can see the hit count increase each time I run a test. My config is below. Any ideas?

ASA Version 8.2(2)
!
names
name 185.74.52.211 unix
!
interface Vlan1
nameif inside
security-level 100
ip address 185.74.52.67 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 190.58.59.60 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
regex myspace "\.myspace\.com"
regex facebook "\.facebook\.com"
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone AST -4
dns server-group DefaultDNS
domain-name mbm-tt.net
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp
description rdp
port-object eq 3389
object-group service UsecRA tcp
port-object eq 1084
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list inside_mpc extended permit tcp any any eq 8080
access-list acl_out remark Deny LAN access to TCP port 25
access-list acl_out extended deny tcp any any eq smtp
access-list acl_out extended permit ip any any
access-list MBMVPNGroup_splitTunnelAcl standard permit 185.74.52.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 185.74.52.0 255.255.255.0 172.56.211.8 255.255.255.248
access-list outside_access_in extended permit tcp any interface outside eq 1042
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool MBMRemoteClients 172.56.211.9-172.56.211.14 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 1042 unix telnet netmask 255.255.255.255
access-group acl_out in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 190.58.146.165 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 185.74.52.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 2
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 185.74.52.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
ssh version 2
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-lock value DefaultRAGroup
group-policy MBMVPNGroup internal
group-policy MBMVPNGroup attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MBMVPNGroup_splitTunnelAcl
username admin password 5CgFaFZAIakurFO6 encrypted privilege 15
username nayen password .KChTBBfdQCjEbzi encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group MBMVPNGroup type remote-access
tunnel-group MBMVPNGroup general-attributes
address-pool MBMRemoteClients
default-group-policy MBMVPNGroup
tunnel-group MBMVPNGroup ipsec-attributes
pre-shared-key *****
!
class-map type regex match-any DomainBlockList
match regex myspace
class-map type inspect http match-all BlockDomainClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class BlockDomainClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ip-options
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
policy-map inside-policy
class httptraffic
police input 500000 1024000
police output 500000 1024000
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cdc123fe35be28182f4567ec9b03f6be
: end

Collin Clark · ‎02-09-2010

You can not get a hit count on an ACL permitting the traffic and then get denied by the implicit deny at the end. How are you seeing the denied traffic? Can you post some of the info from your log?

nigelayen · ‎02-09-2010

I test with the following command from a public host:

telnet 190.58.59.60 1042

From the ASA 5505, issue the following command:

sh access-list

access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any interface outside eq 1042 (hitcnt=1) 0x05a92990

The hitcnt value increases each time I test.

The packet-trace output:

MBM5505ASA(config)# packet-trace input outside tcp 190.58.59.60 1042 185.74.52.211 telnet detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 185.74.52.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7de3218, priority=500, domain=permit, deny=true
        hits=27, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=190.58.146.166, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Luis Silva Benavides · ‎05-24-2010

Please try this packet-tracer, now it should be allow.

MBM5505ASA(config)# packet-trace input outside tcp 4.2.2.2 1025 190.58.59.60 1042 detail

LS

Luis Silva

ciscosatya · ‎05-24-2010

Hi

How can Cisco releases the CCNA Discovery and Exploration documentation with full of corrections in it. If you need proof you check my blog www.CiscoMistakes.blogspot.com. Take some necessary action. I am able to find 1 correction in 15-20 pages. Some of those are published in my blog. If you are not concerned with the documentation please report this to the concerned team or person.

This is Satya Rao (Mr. Perfectionist), a 28 year old South Indian guy, I have been taking CCNA training from the April 19^th 2010, in one of the Cisco Networking Academy named IGIAT (Indo-German Institute of Advanced Technology) in Visakhapatnam, South India.

We know how important a proper documentation for any software or hardware. It should be given one of the major importance, without proper documentation the software or hardware is useless.

While I am reading your CCNA Discovery and Exploration materials I have found some corrections in the documentation. More than 300 corrections in the module 1 and 2 of CCNA Discovery and Exploration.

My correction checking includes spelling mistakes, punctuations errors, formatting errors, technical mistakes, diagrammatic error, etc.

I don’t want anyone to point out my favorite company’s documentation. Yes ordinary people may not find all of them but they will some of them.

Microsoft Windows is a 100% correction less documentation. I have studied lots of their documentation and unable to find not even a single correction, why not Cisco develops that kind of correction free, documentation to the world. Yes, it’s possible with me, the Mr. Perfectionist.

Please give me a chance to make it 100% correction less, yes the documentation is 99.999% good. But not 100%. Why should we take chance when Mr. Perfectionist is available?

Of course small punctuation corrections are not so big in terms of technical issues, but the high quality documentation must need everything to be high.

We all know that how many times it was checked before finalizing the documentation but still I found these many corrections.

If you want to test my talent or capacity give me your latest finalized version of any technical documentation and let me found the corrections in that documentation. You came to know how fast I will give you the 100% correction less out put.

Just imagine I have found these many corrections after you people done all kinds of proofreading before releasing to the world, how much useful I will be if I am in your documentation department.

I think you know, how hard it is find mistakes from a very great companies documentation like Cisco, (if not hard you would have released it 100% correction free to the world) not 5 or 10, I have found hundreds (still finding). If you really understand my talent you must give me a quality analyst job in documentation.

I know there are no vacancies but a person like me you should place me, to get better output, as the quality analysts there, unable to give the 100% quality.

I am ready to sign any kind of bond you wish.

You can fire me out at any time if you not satisfied with my work.

One of my weak point is I can’t tolerate if something is wrong or someone doing wrong. With this weak point I can easily find out mistakes in any documentation with ease at the maximum speed possible, which a computer can’t do.

Please someone recognize my work and effort and help me by providing a job with minimum possible pay. Willing to work 12 hrs a day at any time of the day.

I was worked as a proof reader in a medical transcription company for John F Kennedy hospital of California for one year.

I can give you results more than you expect from me.

Most importantly I need a job in my favorite company, Cisco. Willing to work from home too.

I think its not a big problem for a big company to give a job to a boy whose father died at his age 5.

Please give me one opportunity to prove myself.

If you came to know about this blog through an email, please forward the mail to the concerned person in the concerned department would be appreciated. (If not, humans help the humans who, will help the human kind.)

Thank you very much.

Satya Rao

Mobile: 919290286822

Email: satyarao321@gmail.com

I have created one blog with some of those correction please check it.

http://ciscomistakes.blogspot.com/

http://CiscoMistakes.blogspot.com/

I have not created this blog to generate some revenue, some popularity, or to point out the Cisco's mistakes to downgrade its standards. I just want to be one in the Cisco organization technical documentation team, for correction free documentation.