Solved: Re: Packet Tracer (Implicit Deny) issue - Page 2

Kemal Zuko · ‎12-26-2013

Hello,

I am trying to do a simple packet tracer on my ASA and this is what I am getting

ASA# packet-tracer input DMZ tcp 10.250.0.5 2234 10.250.0.6 22 xml

<Phase>
<id>1</id>
<type>ROUTE-LOOKUP</type>
<subtype>input</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
in 10.250.0.4 255.255.255.252 DMZ
</extra>
</Phase>

<Phase>
<id>2</id>
<type>ACCESS-LIST</type>
<subtype></subtype>
<result>DROP</result>
<config>
Implicit Rule
</config>
<extra>
</extra>
</Phase>

<result>
<input-interface>DMZ</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>DMZ</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason>
</result>
ASA#

The 10.250.0.6 deve is a router directly connected to the DMZ interface 10.250.0.5

However I am getting the reason for droped packet as (Implicit Rule) which I can see is only on the global interface.

I am permiting ip any any on that same interface as well.

How can I make this work?

The reson for this is I need my ASA to authenticate with TACACS server which is behind the 10.250.0.6 router

Collin Clark · ‎01-01-2014

Go ahead and change it back to (DMZ). Can you enable debug for TACACS and post some of the debug?

Kemal Zuko · ‎01-01-2014

you mean to enable tacacs debug on the ASA?

Collin Clark · ‎01-01-2014

Yes, sorry.

Kemal Zuko · ‎01-01-2014

here is what I see

%ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user kzuko : Auth-server group BiHTac unreachable

%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = kzuko

%ASA-6-611102: User authentication failed: Uname: kzuko

%ASA-6-315011: SSH session from 10.250.0.6 on interface DMZ for user "kzuko" disconnected by SSH server, reason: "Internal error" (0x00)

%ASA-6-302014: Teardown TCP connection 61690 for DMZ:10.250.0.6/54569 to identity:10.250.0.5/22 duration 0:00:07 bytes 1347 TCP FINs

Kemal Zuko · ‎01-01-2014

Sorry Wrong log

here is the debug

%ASA-6-302013: Built outbound TCP connection 61851 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/31091 (10.250.0.1/31091)
%ASA-6-110003: Routing failed to locate next hop for TCP from identity:10.250.0.1/31091 to inside:10.250.100.142/49
mk_pkt - type: 0x2, session_id: 315
mkpkt - authorize user: bihadmin
cmd=no
cmd-arg=logging cmd-arg=console Tacacs packet sent
%ASA-6-302014: Teardown TCP connection 61851 for inside:10.250.100.142/49 to identity:10.250.0.1/31091 duration 0:00:00 bytes 0 No valid adjacency
Sending TACACS Authorization message. Session id: 315, seq no:1
%ASA-6-302013: Built outbound TCP connection 61852 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/52801 (10.250.0.1/52801)
TACACS Request timed out
TACACS Session finished. Session id: 315, seq no: 1

mk_pkt - type: 0x2, session_id: 316
mkpkt - authorize user: bihadmin
cmd=no
%ASA-6-302014: Teardown TCP connection 61852 for inside:10.250.100.142/49 to identity:10.250.0.1/52801 duration 0:00:00 bytes 0 No valid adjacency
cmd-arg=logging cmd-arg=console Tacacs packet sent
Sending TACACS Authorization message. Session id: 316, seq no:1
%ASA-6-302013: Built outbound TCP connection 61853 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/28448 (10.250.0.1/28448)
TACACS Request timed out
TACACS Session finished. Session id: 316, seq no: 1

mk_pkt - type: 0x2, session_id: 317
mkpkt - authorize user: bihadmin
cmd=no
cmd-arg=logging %ASA-6-302014: Teardown TCP connection 61853 for inside:10.250.100.142/49 to identity:10.250.0.1/28448 duration 0:00:00 bytes 0 No valid adjacency
cmd-arg=console Tacacs packet sent
Sending TACACS Authorization message. Session id: 317, seq no:1
%ASA-2-113022: AAA Marking TACACS+ server 10.250.100.142 in aaa-server group BiHTac as FAILED
BIHASA(config)# TACACS Request timed out
TACACS Session finished. Session id: 317, seq no: 1

Collin Clark · ‎01-01-2014

Big help, thanks.

%ASA-6-110003: Routing failed to locate next hop for TCP from identity:10.250.0.1/31091 to inside:10.250.100.142/49

Can you post another show route?

Kemal Zuko · ‎01-01-2014

ASA(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 75.132.0.1 to network 0.0.0.0

D    192.168.250.0 255.255.255.248 [90/28416] via 10.250.0.2, 38:50:54, inside
D    10.250.100.128 255.255.255.128 [90/28416] via 10.250.0.6, 38:50:44, DMZ
D    10.250.100.0 255.255.255.128 [90/28416] via 10.250.0.2, 38:50:54, inside
D    10.250.1.1 255.255.255.255 [90/130816] via 10.250.0.6, 38:50:44, DMZ
C    10.250.0.0 255.255.255.252 is directly connected, inside
C    10.250.0.4 255.255.255.252 is directly connected, DMZ
C    75.132.0.0 255.255.192.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via 75.132.0.1, outside

Collin Clark · ‎01-01-2014

The routing looks good. In your TACACS server, what IP is configured as the host? The ASA's DMZ address?

Collin Clark · ‎01-01-2014

Can we try and put a host specific route in for the TACACS server?

route DMZ 10.250.100.142 255.255.255.255 10.250.0.6

Then check the debug log again.

Kemal Zuko · ‎01-01-2014

Ok did that but still nothing

I am also not seeng much in the debug

sh debug tacacs

%ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user bihadmin : Auth-server group BiHTac unreachable

debug tacacs session

ASA(config)# %ASA-7-111009: User 'bihadmin' executed cmd: show debug tacacs

I got debug tacacs and debug tacacs session running on logging console debugging

Kemal Zuko · ‎01-01-2014

ok I have noticed that these error loggs come in very late. I got this error log below 5 min later

%ASA-7-609001: Built local-host inside:10.250.100.142
%ASA-6-302013: Built outbound TCP connection 63066 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/6622 (10.250.0.1/6622)
%ASA-6-110003: Routing failed to locate next hop for TCP from identity:10.250.0.1/6622 to inside:10.250.100.142/49
mk_pkt - type: 0x2, session_id: 332
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=debug cmd-arg=tacacs Tacacs packet sent
%ASA-6-302014: Teardown TCP connection 63066 for inside:10.250.100.142/49 to identity:10.250.0.1/6622 duration 0:00:00 bytes 0 No valid adjacency
%ASA-7-609002: Teardown local-host inside:10.250.100.142 duration 0:00:00
Sending TACACS Authorization message. Session id: 332, seq no:1
%ASA-7-609001: Built local-host inside:10.250.100.142
%ASA-6-302013: Built outbound TCP connection 63067 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/46116 (10.250.0.1/46116)
TACACS Request timed out
TACACS Session finished. Session id: 332, seq no: 1

mk_pkt - type: 0x2, session_id: 333
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=debug %ASA-6-302014: Teardown TCP connection 63067 for inside:10.250.100.142/49 to identity:10.250.0.1/46116 duration 0:00:00 bytes 0 No valid adjacency
%ASA-7-609002: Teardown local-host inside:10.250.100.142 duration 0:00:00
cmd-arg=tacacs Tacacs packet sent
Sending TACACS Authorization message. Session id: 333, seq no:1
%ASA-7-609001: Built local-host inside:10.250.100.142
%ASA-6-302013: Built outbound TCP connection 63068 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/47263 (10.250.0.1/47263)
TACACS Request timed out
TACACS Session finished. Session id: 333, seq no: 1

mk_pkt - type: 0x2, session_id: 334
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=debug %ASA-6-302014: Teardown TCP connection 63068 for inside:10.250.100.142/49 to identity:10.250.0.1/47263 duration 0:00:00 bytes 0 No valid adjacency
%ASA-7-609002: Teardown local-host inside:10.250.100.142 duration 0:00:00
cmd-arg=tacacs Tacacs packet sent
Sending TACACS Authorization message. Session id: 334, seq no:1
%ASA-2-113022: AAA Marking TACACS+ server 10.250.100.142 in aaa-server group BiHTac as FAILED
debug tacacs session
TACACS Request timed out
%ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user bihadmin : Auth-server group BiHTac unreachable
%ASA-7-111009: User 'bihadmin' executed cmd: show debug tacacs
BIHASA(config)# TACACS Session finished. Session id: 334, seq no: 1

%ASA-6-305012: Teardown dynamic UDP translation from inside:10.250.100.4/52561 to outside:75.1.1.1/52561 duration 0:00:31

Kemal Zuko · ‎01-01-2014

I have also noticred this

%ASA-6-302013: Built outbound TCP connection 63066 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/6622 (10.250.0.1/6622)

It mentions "inside" the 10.250.100.142 is behind the DMZ

ok... for some reason it didint take my last commands when I was putting it back on to the DMZ

Lets try the debug again

Kemal Zuko · ‎01-01-2014

Nothing no debug loggs this time when I try to connect

Kemal Zuko · ‎01-01-2014

sometimes I see this

mk_pkt - type: 0x2, session_id: 370
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 370, seq no:1
TACACS Request Timed out. Session id: 370, seq no:1
mk_pkt - type: 0x2, session_id: 371
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 371, seq no:1
TACACS Session finished. Session id: 370, seq no: 1

TACACS Request Timed out. Session id: 371, seq no:1
mk_pkt - type: 0x2, session_id: 372
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 372, seq no:1
TACACS Session finished. Session id: 371, seq no: 1

TACACS Request Timed out. Session id: 372, seq no:1
TACACS Session finished. Session id: 372, seq no: 1

mk_pkt - type: 0x2, session_id: 373
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 373, seq no:1
TACACS Request Timed out. Session id: 373, seq no:1
mk_pkt - type: 0x2, session_id: 374
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 374, seq no:1
TACACS Session finished. Session id: 373, seq no: 1

TACACS Request Timed out. Session id: 374, seq no:1
mk_pkt - type: 0x2, session_id: 375
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 375, seq no:1
TACACS Session finished. Session id: 374, seq no: 1

TACACS Request Timed out. Session id: 375, seq no:1
TACACS Session finished. Session id: 375, seq no: 1

Collin Clark · ‎01-01-2014

I saw that too and that's what made me think it could be a routing issue. Can you do another packet-tracer?

packet-tracer input DMZ udp 10.250.0.5 49 10.250.100.142 49 detail