Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA denying udp outbound even with implicit outbound rule

I'm getting UDP traffic denied coming from the inside interface going outbound even though I have the implicit outbound rule in place. I've tried to specifically permit the udp traffic but it still gets denied. I'm sure there is something simple I'm missing but I need help.

6 REPLIES
New Member

Re: ASA denying udp outbound even with implicit outbound rule

Can you get me the output of 'show run access-group' and show run access-li xxxxxxx

xxxxxx - name of access-list applied on the inside interface in "inbound" direction

If there is a deny log, paste that output too

Make sure there is a proper translation and route on the FW for the traffic being blocked

-AR

Re: ASA denying udp outbound even with implicit outbound rule

Is 'nat-control' enabled? (show run nat-control).

What about the other NAT entries?

show run nat

show run global

Also check show run access-group to see what ACL is assigned to inside (IF any).

Regards

Farrukh

New Member

Re: ASA denying udp outbound even with implicit outbound rule

I won't be able to get to the device to get the show commands until tomorrow, but I can tell you that I am not doing any Nat. I found some forums that indicated that I still needed to put in a nat statement that basically says I'm not doing any nat. Is that the case?

Re: ASA denying udp outbound even with implicit outbound rule

Version 6.x yes you need to either NAT or exempt the traffic from NAT.

Version 7.x/8.x by default you don't need to do this, as in 'no nat-conrol'.

However you can turn on the 6.x behavior with 'nat-control'

Regards

Farrukh

New Member

Re: ASA denying udp outbound even with implicit outbound rule

If the ASA is facing the internet you would certainly need a translation unless it is vpn traffic or you are using a publicly usable address space on the inside.

Yes, with nat-control enabled (default in 6.x) the firewall will look for some kind of a translation for traffic flow from higher to lower security.

The logs should indicate if the packets are denied due to an access-list or missing translation.

You might also want to configure packet captures on the outside interface to see if packets hit the interface. Let me know if you need help here

HTH

-Aniket

Security PIX/ASA

New Member

Re: ASA denying udp outbound even with implicit outbound rule

Thank you everyone for your help. Turns out that it was a routing issue. Everything else is working as designed.

250
Views
0
Helpful
6
Replies