Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

INBOUND ACL in 8.6 code

Hi All,

           I am not so familliar with 8.6 code and I am trying to give an outside host access to another host in the DMZ. I have have a NAT set for the host in the DMZ and in the ACL on the outside interface, i have used the local IP(192.168.x.x) in the ACL. I have defied my services(isakmp,esp,gre,ipsec).

When i do a show local host 192.168.x.x, i can see that there is an isakmp connection established

local host: <192.16x.2x.22>,

    TCP flow count/limit = 0/unlimited

    TCP embryonic count to host = 0

    TCP intercept watermark = unlimited

    UDP flow count/limit = 2/unlimited

  Conn:

    UDP outside 2x.2xx.x24.19x:500 dmz 192.16x.2x.22:500, idle 0:00:01, bytes 488, flags -

    UDP outside 20x.9x.2xx.132:500 dmz 192.16X.2X.22:500, idle 0:00:00, bytes 1152, flags -

But adminstrator in the other end, keeps telling the tunnel is up! Packet-tracer also shows the packet drop after passing the NAT. But the output above shows  isakmp connection in port 500. I also tried to test the port by telnet to the IP follow by the port number(192.16x.2x.22 500) with no luck.

There packet-tracer information as well...

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.16.200.0   255.255.255.0   dmz

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group from_outside in interface outside

access-list from_outside extended permit object-group Long_vpn_ser object-group DM_INLINE_NETWORK_4 object Long_vpn

object-group service Longview_vpn_ser

description: Services for Long VPN access

service-object gre

service-object esp

service-object ah

service-object udp destination eq isakmp

service-object tcp destination eq ssh

service-object object IPSEC

object-group network DM_INLINE_NETWORK_4

network-object host 2x.9x.2xx.13x

network-object host 21x.2xx.2x4.19x

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (dmz,outside) source static Long_vpn Long_pub

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any help will be greatly appreciate,

Thanks

6 REPLIES
Super Bronze

INBOUND ACL in 8.6 code

Hi,

You are probably using the real IP address as the destination IP address of the "packet-tracer" command and that is why the ASA tells you that the simulated connection would fail the RPF check. Since on the way it doesnt hit any NAT rule but on the back out it hits a NAT rule.

Try the "packet-tracer" output with the public IP address if you want to accurately simulate the incoming packet.

- Jouni

New Member

INBOUND ACL in 8.6 code

Hi Jouni,

              I did figured this part out, but i still don't understans why the other end of the tunnel is up when in my ASA it shows up! Also as i mentioned above, i cannot test port 500 via telnet.Obivious something is wrong but the configuration so simple!

Thanks,

Eddy

Super Bronze

INBOUND ACL in 8.6 code

Hi,

What is strange about the tunnel being up if everything is allowed and the reason the "packet-tracer" was failing was because the wrong IP address was used?

You cant test ISAKMP / UDP500 with Telnet as telnet is TCP and not UDP.

- Jouni

New Member

INBOUND ACL in 8.6 code

Thanks for help, and did not realized that can't test UDP with this test. Although, i made the same test for ssh and still no access. Please see below in regards to the packet-tracer and result

New Member

INBOUND ACL in 8.6 code

Super Bronze

INBOUND ACL in 8.6 code

Hi,

You are still using the local IP address the destination.

The "packet-tracer" is meant to simulate the actual packet entering the ASA interface.

When you are testing traffic from the Internet then you will have to use the public NAT IP address as the destination naturally.

On the ACLs ofcourse the destination IP address is the local IP address because of the NAT and ACL format changes in the new software.

Hopefully this clears things up

Please do remember to mark a reply as the correct answer if it answered your question

Ask more if needed naturally

- Jouni

108
Views
0
Helpful
6
Replies
CreatePlease to create content