12-26-2013 02:58 PM - edited 03-11-2019 08:22 PM
Hello,
I am trying to do a simple packet tracer on my ASA and this is what I am getting
ASA# packet-tracer input DMZ tcp 10.250.0.5 2234 10.250.0.6 22 xml
<Phase>
<id>1</id>
<type>ROUTE-LOOKUP</type>
<subtype>input</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
in 10.250.0.4 255.255.255.252 DMZ
</extra>
</Phase>
<Phase>
<id>2</id>
<type>ACCESS-LIST</type>
<subtype></subtype>
<result>DROP</result>
<config>
Implicit Rule
</config>
<extra>
</extra>
</Phase>
<result>
<input-interface>DMZ</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>DMZ</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason>
</result>
ASA#
The 10.250.0.6 deve is a router directly connected to the DMZ interface 10.250.0.5
However I am getting the reason for droped packet as (Implicit Rule) which I can see is only on the global interface.
I am permiting ip any any on that same interface as well.
How can I make this work?
The reson for this is I need my ASA to authenticate with TACACS server which is behind the 10.250.0.6 router
Solved! Go to Solution.
01-01-2014 02:47 PM
yea, I am not sure how it cant see host but knows about it in the routing table
Packet tracer result
BIHASA# packet-tracer input DMZ udp 10.250.0.5 49 10.250.100.142 49 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x5774bbf0, priority=1, domain=permit, deny=false
hits=39266356, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=DMZ, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.250.100.142 255.255.255.255 DMZ
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x5775fdc0, priority=500, domain=permit, deny=true
hits=4, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.250.0.5, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=DMZ, output_ifc=any
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-01-2014 02:50 PM
Can you try this one too?
packet-tracer input DMZ udp 10.250.0.1 49 10.250.100.142 49 detail
01-01-2014 03:08 PM
BIHASA# packet-tracer input DMZ udp 10.250.0.1 49 10.250.100.142 49 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.250.100.142 255.255.255.255 DMZ
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x5774dd08, priority=111, domain=permit, deny=true
hits=1, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=DMZ, output_ifc=DMZ
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-01-2014 03:26 PM
Thanks. I'm curious on the next hop. Can you try-
traceroute 10.250.100.142
01-01-2014 03:37 PM
yea it dosent go anywhere
BIHASA# traceroute 10.250.100.142
Type escape sequence to abort.
Tracing the route to 10.250.100.142
1 * * *
2 * * *
3 * *
01-01-2014 03:43 PM
What do you think about this... I have an extra PC that I can setup the tacacs server on and connect it directly to Gi0/2 on like a 10.250.101.0/30 but I am not sure if this would help us in this case?
01-01-2014 04:11 PM
It's just strange that TACACS can't be ping'd, yet traffic through the ASA is good.
What type of device is 10.250.0.6? Do you have access to it?
01-01-2014 04:16 PM
.6 is a cisco 1800 series router
Yes I have access to it
Sh Run
logging buffered 1000000 informational
logging reload debugging
logging rate-limit console 5
no logging console
enable secret 5 $1$tcXv$wtK8ERTYUIO_)(*&%^&*(DovQnfMYwcuCQ0LjX1
!
aaa new-model
!
!
aaa group server tacacs+ BiHTac
server 10.250.100.142
!
aaa authentication login BiHTac group BiHTac local
aaa authentication enable default group BiHTac enable
aaa authorization commands 15 BiHTac group BiHTac if-authenticated
aaa accounting exec BiHTac
action-type start-stop
group BiHTac
!
!
!
!
!
!
aaa session-id common
!
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
!
key chain BIHAUTH
key 99
key-string 7 1435411234567890--09876543456789257471
!
!
!
!
license udi pid CISCO1841 sn FTX0945W22J
username b privilahege 15 secret 5 $1$Q3#$%^&*()_WdJz9HD.
!
redundancy
!
!
interface FastEthernet0/0
description LAN_Network
no ip address
duplex auto
speed auto
!
!
interface FastEthernet0/0.99
description DMZ_LAN
encapsulation dot1Q 99 native
ip address 10.250.100.129 255.255.255.128
ip helper-address 10.250.100.140
no ip redirects
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
description EIGRP Transit to ASA
ip address 10.250.0.6 255.255.255.252
ip authentication mode eigrp 99 md5
ip authentication key-chain eigrp 99 BIHAUTH
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
!
!
router eigrp 99
network 10.250.0.4 0.0.0.3
network 10.250.100.128 0.0.0.127
passive-interface default
no passive-interface FastEthernet0/1
eigrp router-id 10.250.0.6
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map DMZ interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.250.0.5
!
ip access-list extended internal-ips
permit ip 10.250.100.128 0.0.0.127 10.250.0.4 0.0.0.3
ip access-list extended vtyaccess
permit tcp 10.250.100.0 0.0.0.127 any range 22 telnet
permit tcp 10.250.100.128 0.0.0.127 any range 22 telnet
permit tcp 10.250.150.0 0.0.0.255 any range 22 telnet
permit tcp 10.250.160.0 0.0.0.7 any range 22 telnet
deny tcp any any
!
!
!
!
route-map DMZ permit 10
description NAT via DMZ
match ip address internal-ips
match interface FastEthernet0/1
!
!
tacacs-server host 10.250.100.142
tacacs-server timeout 1
tacacs-server directed-request
tacacs-server key 7 04795B5301011234567890-09876543234567890
!
control-plane
!
!
!
line con 0
exec-timeout 11 0
logging synchronous
line aux 0
exec-timeout 11 0
line vty 0 4
access-class vtyaccess in
exec-timeout 11 0
logging synchronous
login authentication BiHTac
transport input all
transport output all
!
scheduler allocate 20000 1000
end
BIH_DMZ_RTR# sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.250.0.5 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.250.0.5
10.0.0.0/8 is variably subnetted, 6 subnets, 3 masks
D 10.250.0.0/30 [90/28416] via 10.250.0.5, 1d23h, FastEthernet0/1
C 10.250.0.4/30 is directly connected, FastEthernet0/1
L 10.250.0.6/32 is directly connected, FastEthernet0/1
D 10.250.100.0/25 [90/30976] via 10.250.0.5, 1d23h, FastEthernet0/1
C 10.250.100.128/25 is directly connected, FastEthernet0/0.99
L 10.250.100.129/32 is directly connected, FastEthernet0/0.99
192.168.250.0/29 is subnetted, 1 subnets
D 192.168.250.0 [90/30976] via 10.250.0.5, 1d23h, FastEthernet0/1
01-02-2014 12:28 AM
Hi Kemal,
Happy New Year.
How your proxyarp is setup on ASA ?
Can you issue the following:
sh run all | i sysopt
sh run all | i arp permit-nonconnected
This should be enabled if you use additional LAN on the interface. Perhaps it won't learn MAC address of the TACACS host at the moment.
Regards
Mariusz
01-02-2014 04:55 AM
Hi Mariusz,
Happy New Year to you as well.
Here is the two comands you asked
BIHASA# sh run all | i sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp DMZ
no sysopt noproxyarp outside
BIHASA#
BIHASA# sh run all | i arp permit-nonconnected
no arp permit-nonconnected
01-02-2014 06:24 AM
Thanks for that.
Looks like proxyarp is enabled which is fine but I'm sure if the second feature applies here as I can't find any detailed documentation about that.
Worth trying:
arp permit-nonconnected
Source: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.pdf
The ASA ARP cache only contains entries from directly-connected subnets by default. You
can now enable the ARP cache to also include non-directly-connected subnets. We do not
recommend enabling this feature unless you know the security risks. This feature could
facilitate denial of service (DoS) attack against the ASA; a user on any interface could send
out many ARP replies and overload the ASA ARP table with false entries.
You may want to use this feature if you use:
• Secondary subnets.
• Proxy ARP on adjacent routes for traffic forwarding.
We introduced the following command: arp permit-nonconnected.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Not sure if this prevents registering MAC addresses in ARP cache only or resolving as well.
01-02-2014 06:55 AM
I tried thhat but getting nowcchere even with enabeling arp permit-nonconnected
Are you sugesting that the tacacs server needs to be directly plugged into the ASA? But at work we have a tacacs server and our production 5580 in diffrent geographical regions and they can still comunicate with each other. I am not sure why this setup is not working, from the looks of it (routing) the ASA knows about that network but cant ping it. I have eco-reply and traceroute permited on all interfaes and I am still not getting there. However the taacs server can ping the DMZ interface of the ASA
01-02-2014 12:44 PM
Ok Issue has been resolved....
After looking some more into the network behind the ASA's DMZ interface I came to notice the following string of comands on the router that is directly connected to the DMZ interface and that is hosting the Tacacs Server behind it's network
ip nat inside source route-map DMZ interface FastEthernet0/1 overload
ip access-list extended internal-ips
permit ip 10.250.100.128 0.0.0.127 10.250.0.4 0.0.0.3
route-map DMZ permit 10
description NAT via DMZ
match ip address internal-ips
match interface FastEthernet0/1
Now I have also noticed tat the ASA has the following NAT statement
nat (DMZ,outside) source dynamic any interface
so there is really no need for the router to pretend that it's douing NAT when the actual NAT is being done on the ASA. I belive that the packet that was comming in from the ASA to the TACACS server was getting blocked by the router, and that is why we never saw the next hop. After removing the NAT, Route Map, and the access-list the ASA started to ping the Tacacs Server and I was able to get authnticated right away.
I would like to thank both Colin Clark and Mariusz Bochen for your time on this it was truly a lerning curve for me.
Thank you again and you both deserve cudos !!!!
Happy New Year
Kemal
01-02-2014 02:26 PM
A true test of our troublshooting skills as well.
01-03-2014 02:44 AM
I am glad you fixed it. Well spoted
Regards
Mariusz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide