Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

access-group deny tcp

Looking for direction on where to isolate why the source (a.a.a.a) is not able to establish http connection with dst. I see these entries in the logs on the ASA.


Apr 24 2014 18:12:10: %ASA-4-106023: Deny tcp src AHMCORP:a.a.a.a/47991 dst inside:172.16.19.32/80 by access-group "AHMCORP_acl" [0x0, 0x0]

Apr 24 2014 18:23:54: %ASA-4-106023: Deny tcp src AHMCORP:a.a.a.a/50470 dst inside:172.16.19.33/80 by access-group "AHMCORP_acl" [0x0, 0x0]

 

Please advise.

Everyone's tags (1)
4 REPLIES

Hi ,

Hi ,

 Do you have appropriate firewall rule for this source and destination on your access-list AHMCORP_acl , kindly verify your ACL , have you configured deny statement on your ACL ??

ensure permit rule is above your deny rule . 

 

Syslog message says below information , check on source machine any port scanning attempt is being done 

 106023

Error Message    %PIX|ASA-4-106023: Deny protocol src 
[interface_name:source_address/source_port] dst 
interface_name:dest_address/dest_port [type {string}, code {code}] by 
access_group acl_ID

Explanation    A real IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL.

Recommended Action    If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrators. 

 

HTH

sandy.

 

Community Member

The ACL does not have a deny

The ACL does not have a deny statement in the configuration; only the implicit deny at the end of the ACL.

Hi Randy , Do a packet tracer

Hi Randy ,

 Do a packet tracer from specfied source and destinatin for further troubleshooting . Share me the output of your packet tracer output . 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/p.html#wp1878788

 

packet-tracer

To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer commandin privileged EXEC configuration mode. To disable packet capture capabilities, use the no form of this command.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

no packet-tracer

Syntax Description

 

input src_int

Specifies the source interface for the packet trace.

protocol

Specifies the protocol type for the packet trace. Available protocol type keywords are icmprawiptcp or udp.

src_addr

Specifies the source address for the packet trace.

src_port

Specifies the source port for the packet trace.

dest_addr

Specifies the destination address for the packet trace.

dest_port

Specifies the destination port for the packet trace.

detailed

(Optional) Provides detailed packet trace information.

xml

(Optional) Displays the trace capture in XML format.

 

 

 

HTH

sandy.

Community Member

I believe the source host(s)

I believe the source host(s)/network IPs are missing from the object-group.

 

Here is unsuccessful packet-tracer output:

asa5545-v8.6(1)2# packet-tracer input AHMCORP tcp x.x.x.x 80 x.x.x.x 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-172.16.19.33-(inside-AHMCORP)
 nat (inside,AHMCORP) static x.x.x.x
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/80 to 172.16.19.33/80

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffec8aed620, priority=11, domain=permit, deny=true
        hits=29172452, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=AHMCORP, output_ifc=any
              
Result:
input-interface: AHMCORP
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

asa5545-v8.6(1)2#

 

 

Here is successful packet-tracer output:

asa5545-v8.6(1)2# packet-tracer input AHMCORP tcp x.x.x.x 80 x.x.x.x 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-172.16.19.32-(inside-AHMCORP)
 nat (inside,AHMCORP) static x.x.x.x
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/80 to 172.16.19.32/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AHMCORP_acl in interface AHMCORP
access-list AHMCORP_acl extended permit tcp object-group corpahm object-group virtwebs object-group prodsvcs log
object-group network corpahm
 <removed - source IP of the unsuccessful packet-tracer is not contained in the object-group>
object-group network virtwebs
 network-object host 172.16.19.32
 network-object host 172.16.19.33
object-group service prodsvcs tcp
 port-object eq www
 port-object eq https
 port-object eq 446
Additional Information:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:       
object network obj-172.16.19.32-(inside-AHMCORP)
 nat (inside,AHMCORP) static x.x.x.x
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 505119575, packet dispatched to next module

Result:
input-interface: AHMCORP
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

asa5545-v8.6(1)2#

 

1300
Views
0
Helpful
4
Replies
CreatePlease to create content