Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2158
Views
10
Helpful
10
Replies

asa explicit rule blocking the traffic.

Go to solution
Saji Thomas
Level 1
Level 1

‎07-22-2014 08:08 AM - edited ‎03-11-2019 09:31 PM

Hello All,

On ASA 5515 version 8.6, I am trying to create a NAT and access list to allow RDP from outside public to inside private network.

I was able to create it using the ASDM as I am comfortable with it and not a expert with CLI.

When I tested it, it does not work no matter what. I tried to see the packet tracer and it said that the traffic was blocked by implicit rule.

I tried to create an ACL and it said the ACL exists. However, it does not work as the packets are dropped. 

Any assistance or ideas is very much appreciated.

Thanks!

Saji

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
10 Replies 10

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎07-22-2014 09:42 AM

Hi 

Share me your asa show runn configuration .

 

HTH

Sandy

 

0 Helpful

Go to solution
Saji Thomas
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-22-2014 11:13 AM

Can I email it to you? I am little hesitant to post the complete run config on the blog. 

I can also send you some screenshot of Packet tracer that shows that the packets are dropped at the inside interface because of a implicit rule. I think I have to create an access rule on the inside interface also which I do not see but I am worried to break something.

Thanks Sandy!

0 Helpful

Go to solution
Saji Thomas
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-22-2014 11:33 AM

Hi Sandy, Please take a look at the picture. 

Thanks!

Preview file
77 KB
0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to Saji Thomas

‎07-22-2014 09:20 PM

Hi ,

 What is your ASA code version ??

share me following output alone

1) show runn access-list 

2) show runn access-group

3) show runn static 

 

HTH

Sandy

 

Go to solution
Saji Thomas
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎07-23-2014 05:15 AM

ASA Code is 8.6(1).

I think the issue is we do not have any access list on the internal interface. Bit I am worried to change it because it is a implicit rule to allow everything from less secure networks.

 

Result of the command: "show run access-list"

access-list 102 extended permit tcp any host 67.208.160.156 eq www 
access-list 102 extended permit tcp any host 67.208.160.156 eq 3389 
access-list 102 extended permit icmp any any echo-reply 
access-list 102 extended permit icmp any any source-quench 
access-list 102 extended permit icmp any any unreachable 
access-list 102 extended permit icmp any any time-exceeded 
access-list 102 extended permit ip any host 67.208.160.155 
access-list 102 extended permit tcp any host 67.208.160.158 eq www 
access-list 102 extended permit udp any host 67.208.160.158 eq netbios-ns inactive 
access-list 102 extended permit udp any host 67.208.160.158 eq netbios-dgm inactive 
access-list 102 extended permit tcp any host 67.208.160.158 eq netbios-ssn inactive 
access-list 102 extended permit tcp any host 67.208.160.158 eq 445 
access-list 102 extended permit tcp any host 67.208.160.158 eq ftp inactive 
access-list 102 extended permit tcp any host 67.208.160.158 eq https 
access-list 102 extended permit tcp any host 67.208.160.158 eq rtsp inactive 
access-list 102 extended permit tcp any host 67.208.160.158 eq domain inactive 
access-list 102 extended permit udp any host 67.208.160.158 eq domain inactive 
access-list 102 extended permit udp any host 67.208.160.158 eq ntp 
access-list 102 extended permit tcp any host 67.208.160.158 eq smtp inactive 
access-list 102 extended permit tcp any host 67.208.160.158 eq ldap inactive 
access-list 102 extended permit tcp any host 67.208.160.158 eq ldaps inactive 
access-list 102 extended permit tcp any host 67.208.160.158 eq ssh inactive 
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 445 
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 554 
access-list 102 extended permit tcp any host 67.208.160.158 object-group DM_INLINE_TCP_1 
access-list 102 extended permit object-group TCPUDP any host 67.208.160.158 eq 4743 
access-list 102 extended permit tcp any host 67.208.160.157 eq www 
access-list 102 extended permit tcp any host 67.208.160.159 eq 2011 
access-list 102 extended permit udp any host 67.208.160.159 eq 2011 
access-list 102 extended permit tcp any host 67.208.160.159 eq 6001 
access-list 102 extended permit udp any host 67.208.160.159 eq 6001 
access-list 102 extended permit tcp any host 67.208.160.159 eq 22609 
access-list 102 extended permit udp any host 67.208.160.159 eq 22609 
access-list 102 extended permit tcp any host 67.208.160.160 eq 2011 
access-list 102 extended permit udp any host 67.208.160.160 eq 2011 
access-list 102 extended permit tcp any host 67.208.160.160 eq 6001 
access-list 102 extended permit udp any host 67.208.160.160 eq 6001 
access-list aaa standard permit host 0.0.0.0 

 

Result of the command: "show runn access-group"

access-group 102 in interface outside


Result of the command: "show runn static"

show runn static
           ^
ERROR: % Invalid input detected at '^' marker.

0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to Saji Thomas

‎07-23-2014 09:13 AM

Can we check now ?? . I need to check few things

1) NAT

join below webex 

https://meetings.webex.com/collabs/meetings/join?uuid=M7EXGIM8ID8WZKIJFTFXAJM5BK-512H

HTH

Sandy

 

 

 

0 Helpful

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to Saji Thomas

‎07-23-2014 09:40 AM

Hi ,

Join this webex meeting

 

https://meetings.webex.com/collabs/meetings/join?uuid=M5G5MMW7PC5GDNDV05Z9VB1N6J-512H

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎07-23-2014 11:44 AM

On Remote session below configuration is updated on your ASA device 

1) mismatch on your ACL 

no access-list 102 extended permit tcp any host 67.208.x.x eq www 
no access-list 102 extended permit tcp any host 67.208.x.x.x eq 3389 

access-list 102 extended permit tcp any host 10.90.230.xe q 3389 

2) Mismatch on your NAT config

object network rdp_server

host 10.90.230.x 

nat (inside,outside) static 67.208.x.x service tcp 3389 3389

 

HTH

Sandy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card