Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Troubleshooting Public Servers with packet-trace.

Hi, I'm new to Cisco, I've tried googling my problem but cannot find anything.

I am trying to setup Public Servers and my config looks great, but it doesn't work. I tried to packet-trace my config and I get an ALLOW when I use the same port from my source, but if I try with a different port, I get a DROP. I can't find where I can tell it to use any port from the source. Did I missed something?

ASA5510, Firmware : 9.1, ASDM : 7.5

SAME SOURCE PORT (Port 88 to Port 88)

Result of the command: "packet-tracer input outside tcp 123.123.123.1 88 W.W.W.13 88 detailed"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network MYOFFICE-PVR-PRIVATE-IP
 nat (inside,outside) static MYOFFICE-PVR-PUBLIC-IP
Additional Information:
NAT divert to egress interface inside
Untranslate W.W.W.13/88 to A.A.A.254/88

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any object MYOFFICE-PVR-PRIVATE-IP 
object-group service DM_INLINE_SERVICE_0
 service-object object MYOFFICE-PVR-88 
 service-object object MYOFFICE-PVR-9000 
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xacefb350, priority=13, domain=permit, deny=false
    hits=3, user_data=0xaa490880, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=88, tag=0
    dst ip/id=A.A.A.254, mask=255.255.255.255, port=88, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xaca012b8, priority=1, domain=nat-per-session, deny=true
    hits=10478473, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xace37850, priority=0, domain=inspect-ip-options, deny=true
    hits=7278021, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad53bef0, priority=70, domain=inspect-icmp, deny=false
    hits=214393, user_data=0xad53b418, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad4981d0, priority=13, domain=ipsec-tunnel-flow, deny=true
    hits=65468, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xacef3c40, priority=6, domain=nat-reverse, deny=false
    hits=4577, user_data=0xacef2a38, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=inside

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xaca012b8, priority=1, domain=nat-per-session, deny=true
    hits=10478475, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xace84c40, priority=0, domain=inspect-ip-options, deny=true
    hits=6598652, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=inside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 6654364, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

 

DIFFERENT SOURCE PORT (Port 6000 to Port 88)

Result of the command: "packet-tracer input outside tcp 123.123.123.1 6000 W.W.W.13 88 detailed"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network MYOFFICE-PVR-PRIVATE-IP
 nat (inside,outside) static MYOFFICE-PVR-PUBLIC-IP
Additional Information:
NAT divert to egress interface inside
Untranslate W.W.W.13/88 to A.A.A.254/88

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xacefccb0, priority=11, domain=permit, deny=true
    hits=307712, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

1 REPLY
New Member

Never mind, I got it

Never mind, I got it

object service MYOFFICE-PVR-88
 service tcp source range 1 65535 destination eq 88 
83
Views
0
Helpful
1
Replies
CreatePlease login to create content