10-31-2014 12:00 AM - edited 03-08-2019 06:57 PM
This document describes scenarios where user is facing basic problems with OS 9.1
Prerequisites
Problem:
def gw (ASA1) = 192.168.1.1
second gw (ASA2) = 192.168.1.254
when he run trace on a client on 192.168.1.22 which is going to a nework behind ASA2 he don't find ICMP redirect - which gives him the problem that for eg. ping works fine but the tcp session he need to establish is not established. User would really prefer to avoid a router in front - and also he don't want to disable the tcp state handling trough MPF.
Solution:
User recently purchased a new Cisco ASA 5515 running version 9.1 with ASDM 7.1. He was able to configure the firewall for internal access to the outside, and have remote site-to-site VPN tunnels working. However, when he try to configure static PAT and ACL for access to Web Server and SSH server, incoming traffic is being dropped by an implicit rule. Both hosts are on inside interface as he wasn't able to put them in a DMZ at that time. The hit counts stay at zero on his acl and no nat translations. He has attached a running config as well as sh access-list and sh nat.
Solution:
According to your present config traffic will be dropped, you need to modify NAT config as shown below:
no nat (Inside,Outside) source dynamic any interface
nat (Inside,Outside) after-auto source dynamic any interface
outside IP x.x.x.x = 1.1.1.1
SEC(config)# packet-tracer input outside tcp 4.2.2.2 5656 1.1.1.1 443 det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 1.1.1.1 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe55690630, priority=0, domain=nat-per-session, deny=false
hits=21, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe56d6d520, priority=0, domain=permit, deny=true
hits=4, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
SEC(config)# packet-tracer input outside tcp 4.2.2.2 5656 1.1.1.1 443 det
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network as400_https
nat (Inside,Outside) static interface service tcp https https
Additional Information:
NAT divert to egress interface Inside
Untranslate 1.1.1.1/443 to 192.168.10.3/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE-IN in interface Outside
access-list OUTSIDE-IN extended permit tcp any object As400_host object-group SvcGrpAS400
object-group service SvcGrpAS400 tcp
description: AS400 Services Group
port-object eq 350
port-object eq www
port-object eq https
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe56db6fb0, priority=13, domain=permit, deny=false
hits=1, user_data=0x7ffe4d6413c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.10.3, mask=255.255.255.255, port=443, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe56db9ea0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7ffe55f48b60, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=1.1.1.1, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=Inside
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: