Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Zones

I just got to work with a ASA in production having 8.x OS and I saw some strange thing . DMZ is assigned 70 security level while outside is 0 , while doing packet-tracer from DMZ to Outside ip it gives me a drop by ACL message ( tcp / icmp ) while it should pass it as the data is from higher security level to lower . Once I configure an ACL it starts working properly although I feel there is no need for ACL . There are also STATIC Identity NAT statements for IP addresses/servers I am willing to communicate .       

5 REPLIES
Cisco Employee

ASA Zones

Hi,

Would you please paste your packet tracer output, also, which 8.x code? We have 8.0, 8.1,8.2 (and the ones where NAT changes) 8.3 and 8.4.

Mike

Mike
New Member

ASA Zones

Thanks for the reply .

Its 8.2(1)  . Same OS running on another firewall and it seems to function fine .

ASA#  packet-tracer input DMZ_DB  tcp 172.30.17.2 80 172.20.6.1 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.20.6.0      255.255.255.0   Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:      

input-interface: DMZ_DB

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

New Member

ASA Zones

I have just noticed that there is no service-policy global_policy global in the config . There is a default policy-map configured but not applied , zones work using interface security level and insection policy and since there is no inspection policy applied this can be the reason why traffic is not moving from higher security level to lower .

Am i on the right track ?

Cisco Employee

ASA Zones

Mmmmm,

You are right on how the Security level work, however, inspections are not required (it is recommended) but not required. Can you turn on logging on debugging and see when you try to make a connection?

Better yet, sh run access-group.

To configured logging

logging buffered debugging

logging on

Show log (once you do the connection)

Mike

Mike
New Member

ASA Zones

Thanks Mike, I will try that out . Its a production device so I cant do much of debuggings on that , I do have a planned downtime coming in after a few weeks where I will test this thing

594
Views
0
Helpful
5
Replies
CreatePlease login to create content